framasoft 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk ssrf、vendor risk cross-site scripting, and パス処理の欠陥 に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact unexpected behavior and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-32949 | This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functional | [email protected] | 6.5 | 0.46% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32948 | The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send requests to arbitrary URLs (Blind SSRF). Attackers can send ActivityPub activities to PeerTube's "inbox" endpoint. By abusing the "Create Activity" functionality, it is possible to create crafted playlists which will cause either denial of service or an attacker-controlled blind SSRF. | [email protected] | 7.5 | 0.50% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32947 | This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite loop in the "inbox" endpoint when receiving crafted ActivityPub activities. | [email protected] | 7.5 | 0.63% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32946 | This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user. | [email protected] | 5.3 | 0.31% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32945 | The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user. | [email protected] | 4.3 | 0.27% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32944 | The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup. | [email protected] | 6.5 | 0.48% | 2025-04-15 | 2025-10-21 |
| CVE-2025-32943 | The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server due to a path traversal in the HLS endpoint. | [email protected] | 3.7 | 0.42% | 2025-04-15 | 2025-10-10 |
| CVE-2022-0881 | Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1. | [email protected] | 6.5 | 1.07% | 2022-03-09 | 2024-11-21 |
| CVE-2022-0727 | Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. | [email protected] | 5.4 | 0.67% | 2022-02-23 | 2024-11-21 |
| CVE-2022-0726 | Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0. | [email protected] | 5.4 | 0.67% | 2022-02-23 | 2024-11-21 |
| CVE-2022-0508 | Server-Side Request Forgery (SSRF) in GitHub repository chocobozzz/peertube prior to f33e515991a32885622b217bf2ed1d1b0d9d6832 | [email protected] | 5.3 | 0.88% | 2022-02-08 | 2024-11-21 |
| CVE-2022-0170 | peertube is vulnerable to Improper Access Control | [email protected] | 4.3 | 0.68% | 2022-01-11 | 2024-11-21 |
| CVE-2022-0133 | peertube is vulnerable to Improper Access Control | [email protected] | 7.5 | 1.21% | 2022-01-10 | 2024-11-21 |
| CVE-2022-0132 | peertube is vulnerable to Server-Side Request Forgery (SSRF) | [email protected] | 7.5 | 0.91% | 2022-01-10 | 2024-11-21 |
| CVE-2021-3780 | peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 6.1 | 0.87% | 2021-09-15 | 2024-11-21 |
| CVE-2017-1000039 | Framadate version 1.0 is vulnerable to Formula Injection in the CSV Export resulting possible Information Disclosure and Code Execution | [email protected] | 9.8 | 2.62% | 2017-07-17 | 2026-05-13 |