5.3

CVE-2025-32946

Exploit

EPSS 0.09%
Veröffentlicht 15.04.2025 12:58:08
Zuletzt bearbeitet 21.10.2025 16:32:53
Quelle reefs@jfrog.com
CVE-Watchlists
Login
Unerledigt
Login

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Framasoft ≫ Peertube Version < 7.1.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.246

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
reefs@jfrog.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-282 Improper Ownership Management

The product assigns the wrong ownership, or does not properly verify the ownership, of an object or resource.

https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

Release Notes

https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-activitypub/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-32946

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32946

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32946

EUVD