CVE-2025-32946

low-risk

Published 2025-04-15

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Peertube

Affected Vendors

Framasoft

References (2)

Release Notes https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1

Exploit https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal