CVE-2026-42462
June 10, 2026, 10:16 p.m.
7.0
Medium
Description
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its Linked Data Signature, allowing them to alter a third-party signed activity they have received. Versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3 fix the issue.
Product(s) Impacted
| Vendor | Product | Versions |
|---|---|---|
| Fedify |
|
|
Weaknesses
Common security weaknesses mapped to this vulnerability.
CWE-180
Incorrect Behavior Order: Validate Before Canonicalize
The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
*CPE(s)
Affected systems and software identified for this CVE.
| Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
|---|---|---|---|---|---|---|---|---|---|---|
| a | fedify | fedify | / | / | / | / | / | / | / | / |
Tags
CVSS Score
CVSS Data - 3.1
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- Privileges Required: NONE
- Scope: UNCHANGED
- Confidentiality Impact: LOW
- Integrity Impact: HIGH
- Availability Impact: LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
Timeline
Published: June 10, 2026, 10:16 p.m.
Last Modified: June 10, 2026, 10:16 p.m.
Last Modified: June 10, 2026, 10:16 p.m.
Status : Received
CVE has been recently published to the CVE List and has been received by the NVD.
More infoSource
*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.