CVE-2026-25808 | THREATINT

Description

Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-09 | Updated 2026-02-10 | Assigner GitHub_M

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-862: Missing Authorization

Product status

< 0.6.20, 0.7.2

affected

>= 7.0.0, < 0.7.2

affected

References

github.com/.../hollo/security/advisories/GHSA-6r2w-3pcj-v4v5

github.com/...ommit/329969c502ef092d5c3f9c2c20421c34f4ff0f0e

github.com/fedify-dev/hollo/releases/tag/0.6.20

github.com/fedify-dev/hollo/releases/tag/0.7.2

cve.org (CVE-2026-25808)

nvd.nist.gov (CVE-2026-25808)

Download JSON