Main Vulnerability Database Vulnerabilities #VU128338

Input validation error in Misskey - CVE-2025-46340

Published: April 28, 2026

Vulnerability identifier: #VU128338

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-46340

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Misskey Development Division

Affected software:
Misskey

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and modify the user interface.

The vulnerability exists due to improper input validation in MkUrlPreview when rendering URL preview metadata into a background-image style. A remote attacker can supply a specially crafted URL preview image value to disclose sensitive information and modify the user interface.

An attacker can inject arbitrary CSS into the preview element, which can be used to display deceptive content such as a fake error message intended to trick users into revealing credentials.

How to mitigate CVE-2025-46340

Install security update from vendor's website.

Sources

https://github.com/misskey-dev/misskey/security/advisories/GHSA-3p2w-xmv5-jm95

Input validation error in Misskey - CVE-2025-46340

Detailed vulnerability description

How to mitigate CVE-2025-46340

Sources

Please verify you're human