CVE-2026-25808

HIGH EPSS 35.9%
Published Feb 9, 20264mo ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
35.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 2

VendorProductVersionRange
fedifyhollo*≥0.6.0  –  <0.6.20
fedifyhollo*≥0.7.0  –  <0.7.2

References 4

  • github.com https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e
    Patch
  • github.com https://github.com/fedify-dev/hollo/releases/tag/0.6.20
    ProductRelease Notes
  • github.com https://github.com/fedify-dev/hollo/releases/tag/0.7.2
    ProductRelease Notes
  • github.com https://github.com/fedify-dev/hollo/security/advisories/GHSA-6r2w-3pcj-v4v5
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/fedify-dev/hollo/commit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e
    Patch