CVE-2025-30741
MEDIUMPixelfed < 0.12.5 - Unauthenticated Incorrect Authorization
Title source: llmDescription
Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.
References (4)
Core 4
Core References
Various Sources
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
Various Sources
https://mastodon.social/@pixelfed/114215925957179498
Various Sources
https://news.ycombinator.com/item?id=43474425
Scores
CVSS v3
4.3
EPSS
0.0027
EPSS Percentile
18.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (2)
Pixelfed/Pixelfed
< 0.12.5
pixelfed/pixelfed
0 - 0.12.5Packagist
Published
Mar 25, 2025
Tracked Since
Feb 18, 2026