SB2026042869 - Multiple vulnerabilities in Misskey

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2025-46559)

The vulnerability allows a remote user to access unintended endpoints and modify data.

The vulnerability exists due to improper input validation in the Mk:api function when processing user-supplied endpoint paths. A remote user can supply a path prefixed with ../ to access unintended endpoints and modify data.

User interaction is required to execute malicious AiScript code.

2) Input validation error (CVE-ID: CVE-2025-46340)

The vulnerability allows a remote attacker to disclose sensitive information and modify the user interface.

The vulnerability exists due to improper input validation in MkUrlPreview when rendering URL preview metadata into a background-image style. A remote attacker can supply a specially crafted URL preview image value to disclose sensitive information and modify the user interface.

An attacker can inject arbitrary CSS into the preview element, which can be used to display deceptive content such as a fake error message intended to trick users into revealing credentials.

Remediation

Install update from vendor's website.

References

• https://github.com/misskey-dev/misskey/security/advisories/GHSA-gmq6-738q-vjp2
• https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95