CVE-2025-22138

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-22138

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22138.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-22138

Aliases

GHSA-pv74-hcg9-65r4

Published

2025-01-13T20:34:29.354Z

Modified

2026-04-10T05:24:25.471369Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Private categories allow suggested edits to be viewed via the queue in @codidact/qpixel

Details

@codidact/qpixel is a Q&A-based community knowledge-sharing software. In affected versions when a category is set to private or limited-visibility within QPixel's admin tools, suggested edits within this category can still be viewed by unprivileged or anonymous users via the suggested edit queue. This issue has not yet been patched and no workarounds are available. Users are advised to follow the development repo for updates.

Patches

Not yet patched.

Workarounds

None available. Private or limited-visibility categories should not be considered ways to store sensitive information.

References

Internal: SUPPORT-114

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22138.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/codidact/qpixel

Affected ranges

Type

GIT

Repo

https://github.com/codidact/qpixel

Events

Introduced

Last affected

9ee5c50ca4e12aeec2cd21332d23e054ff28b810

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.9.0"
        }
    ]
}

Affected versions

v0.*

v0.3.0

v0.4.0

v0.5.0

v0.6.0

v0.6.1

v0.7.0

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22138.json"