Misskey and Sharkey, ActivityPub-based social network services (similar to Mastodon), have released updates to patch vulnerabilities Sharkey maintainers describe as "extremely severe".
Updated versions are 2026.3.1 <https://github.com/misskey-dev/misskey/releases/tag/2026.3.1> and 2025.4.6 <https://activitypub.software/TransFem-org/Sharkey/-/releases/2025.4.6> respectively. Sharkey is a fork of Misskey, so some of the vulnerabilities are shared, but Sharkey developers have not provided any details so it is not clear which ones. They have promised to publish details "at a future date" (see the release page above). Misskey has detailed the following vulnerabilities, summarized from the detailed advisories: * CVE-2026-28431: multiple information disclosure vulnerabilities due to missing permission checks (multiple severities, highest is CVSSv4 9.2). Advisories: <https://github.com/misskey-dev/misskey/security/advisories/GHSA-r33c-qg3g-v9cr> <https://github.com/misskey-dev/misskey/security/advisories/GHSA-cvf3-p7p2-27fh> <https://github.com/misskey-dev/misskey/security/advisories/GHSA-gg7j-c76w-8x3g> * CVE-2026-28432: authentication bypass in ActivityPub federation (7.1). Advisory: <https://github.com/misskey-dev/misskey/security/advisories/GHSA-grwc-c762-gcvp> * CVE-2026-28433: authorization bypass in user data import (2.3). Advisory: <https://github.com/misskey-dev/misskey/security/advisories/GHSA-g6hj-33h7-6fq8> Sharkey announcement from two days ago advising server administrators of the upcoming release, but providing no concrete details: <https://sharkey.team/notes/ajka8rybkjf80061> -Valtteri
