CVE-2025-32946

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-32946
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32946.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32946
Published
2025-04-15T13:15:55.360Z
Modified
2026-04-10T05:25:17.108837Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.

References

Affected packages

Git / github.com/chocobozzz/peertube

Affected ranges

Type
GIT
Repo
https://github.com/chocobozzz/peertube
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b9c3a4837e6a5e5d790e55759e3cf2871df4f03c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.1.1"
        }
    ]
}

Affected versions

v0.*
v0.0.11-alpha
v0.0.12-alpha
v0.0.13-alpha
v0.0.14-alpha
v0.0.16-alpha
v0.0.17-alpha
v0.0.18-alpha
v0.0.19-alpha
v0.0.20-alpha
v0.0.21-alpha
v0.0.22-alpha
v0.0.23-alpha
v0.0.27-alpha
v0.0.28-alpha
v0.0.29-alpha
v0.0.3-alpha
v0.0.4-alpha
v0.0.5-alpha
v0.0.6-alpha
v0.0.8-alpha
v0.0.9-alpha
v1.*
v1.0.0-alpha.1
v1.0.0-alpha.10
v1.0.0-alpha.2
v1.0.0-alpha.3
v1.0.0-alpha.4
v1.0.0-alpha.5
v1.0.0-alpha.6
v1.0.0-alpha.7
v1.0.0-alpha.8
v1.0.0-alpha.9
v1.0.0-beta.1
v1.0.0-beta.10.pre.1
v1.0.0-beta.10.pre.2
v1.0.0-beta.10.pre.3
v1.0.0-beta.11
v1.0.0-beta.12
v1.0.0-beta.13
v1.0.0-beta.14
v1.0.0-beta.15
v1.0.0-beta.16
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.0.0-beta.7
v1.0.0-beta.8
v1.0.0-beta.9
v1.0.0-rc.1
v1.0.0-rc.2
v1.1.0
v1.1.0-alpha.1
v1.1.0-rc.1
v1.3.0-rc.1
v1.4.0-rc.1
v2.*
v2.0.0
v2.0.0-rc.1
v2.1.0-rc.1
v2.2.0-rc.1
v2.3.0-rc.1
v2.4.0
v2.4.0-rc.1
v3.*
v3.0.0
v3.0.0-rc.1
v3.1.0-rc.1
v3.3.0
v3.3.0-rc.1
v3.4.0
v3.4.0-rc.1
v4.*
v4.0.0-rc.1
v4.1.0
v4.1.0-rc.1
v4.2.0-rc.1
v4.3.0
v4.3.0-rc.1
v5.*
v5.0.0
v5.0.0-rc.1
v5.1.0-rc.1
v5.2.0
v5.2.0-rc.1
v6.*
v6.0.0
v6.0.0-rc.1
v6.0.0-rc.2
v6.0.1
v6.0.2
v6.1.0
v6.1.0-rc.1
v6.2.0
v6.2.0-rc.1
v6.2.1
v6.3.0
v6.3.0-rc.1
v6.3.1
v7.*
v7.0.0
v7.0.0-rc.1
v7.0.1
v7.1.0
v7.1.0-rc.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32946.json"