CVE-2026-50129
Received Received - Intake
BaseFortify

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
Mastodon is a free, open-source social network server based on ActivityPub. Prior to 4.5.11, 4.4.18, and 4.3.24, a DoS can be triggered by (Uncaught Exception vulerability), due to missing exception handling in the math sanitizer. Malformed <math> nodes can result in a DoS of a whole server or targeted users services, depending on the type of action that includes the malformed nodes and the services interacting with it. This vulnerability is fixed in 4.5.11, 4.4.18, and 4.3.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-50129
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mastodon mastodon to 4.5.11 (inc)
mastodon mastodon 4.5.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Mastodon, an open-source social network server. It is caused by missing exception handling in the math sanitizer component. Specifically, malformed <math> nodes can trigger an uncaught exception, which leads to a denial of service (DoS). This means that either the entire server or specific user services can be disrupted depending on how the malformed nodes are processed.

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition. Attackers can exploit malformed <math> nodes to cause the Mastodon server or targeted user services to become unavailable. This can disrupt normal operations and prevent users from accessing the social network services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Mastodon server to one of the fixed versions: 4.5.11, 4.4.18, or 4.3.24.

This update addresses the uncaught exception vulnerability in the math sanitizer that can cause a denial of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart