If you are running a version of either Misskey or Mastodon that is more than a year old, I strongly urge you to reconsider your reasons for not upgrading.

This low-effort exploit (see screenshot) can be executed on Mastodon 4.0.x through 4.3.x. If you are still running Mastodon 2.x or 3.x, the situation is significantly worse.

⚠️ This isn't just a Mastodon issue; it affects Misskey too. If you are using a version of Misskey older than 2025, you have simply been lucky so far.

For context, the current version of Mastodon is 4.5.11 (with 4.6 beta 1 available), and the current version of Misskey is 2026.5.4 (with 2026.6.0 available). There is no better time to upgrade than right now. ⏳

In my opinion, the Fediverse has been incredibly lucky. Most of you have only had to deal with the occasional bot or script kiddie trying to spam your site. However, leaving your software unpatched exposes you to much more severe threats.

Frankly, as someone who used to manage online forum communities, I don’t understand the reluctance to upgrade. You aren't just leaving yourself vulnerable — you are risking the security of the hundreds or thousands of users who have placed their trust in your ability to manage the platform safely.

#Mastodon #MastoAdmin #FediAdmin #Misskey #Forum #Community #ActivityPub #Fediverse