CVE-2025-32946
CVE-2025-32946 is a medium-severity vulnerability in Framasoft Peertube with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-282.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- EPSS exploit prediction: 0% (25th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-10976
- Weakness: CWE-282
- Affected product: Framasoft Peertube
- Published:
- Last modified:
Description
This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
Frequently asked questions
- What is CVE-2025-32946?
- This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
- How severe is CVE-2025-32946?
- CVE-2025-32946 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2025-32946 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (25th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-32946?
- CVE-2025-32946 affects Framasoft Peertube. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-32946?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-32946 have an EU (EUVD) identifier?
- Yes. CVE-2025-32946 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-10976.
- When was CVE-2025-32946 published?
- CVE-2025-32946 was published on 2025-04-15 and last updated on 2026-06-17.
References
- https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1
- https://research.jfrog.com/vulnerabilities/peertube-arbitrary-playlist-creation-activitypub/
Affected products (1)
- cpe:2.3:a:framasoft:peertube:*:*:*:*:*:*:*:*
More vulnerabilities in Framasoft Peertube
- CVE-2025-32948 — High (CVSS 7.5): The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send…
- CVE-2025-32947 — High (CVSS 7.5): This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite…
- CVE-2022-0133 — High (CVSS 7.5): peertube is vulnerable to Improper Access Control
- CVE-2022-0132 — High (CVSS 7.5): peertube is vulnerable to Server-Side Request Forgery (SSRF)
- CVE-2025-32949 — Medium (CVSS 6.5): This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when…
- CVE-2025-32944 — Medium (CVSS 6.5): The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent…
All CVEs affecting Framasoft Peertube →
Other CWE-282 vulnerabilities
- CVE-2026-23514 — High (CVSS 8.8): Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control…
- CVE-2020-10632 — High (CVSS 8.8): Inadequate folder security permissions in Emerson OpenEnterprise versions through 3.3.4 may allow modification of…
- CVE-2025-27254 — High (CVSS 8.0): CWE-282 "Improper Ownership Management" in GE Vernova EnerVista UR Setup allows Authentication Bypass. The…
- CVE-2024-39755 — High (CVSS 7.8): A privilege escalation vulnerability exists in the node update functionality of Veertu Anka Build 1.42.0. A specially…
- CVE-2024-37999 — High (CVSS 7.8): A vulnerability has been identified in Medicalis Workflow Orchestrator (All versions). The affected application…
- CVE-2023-0386 — High (CVSS 7.8): A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities…