CVE-2025-32946

EUVD-2025-10976
This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
JFROGCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
framasoftpeertube
𝑥
< 7.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-activitypub/