CVE-2025-30741

medium

Description

Pixelfed before 0.12.5 allows anyone to follow private accounts and see private posts on other Fediverse servers. This affects users elsewhere in the Fediverse, if they otherwise have any followers from a Pixelfed instance.

References

https://news.ycombinator.com/item?id=43474425

https://mastodon.social/@pixelfed/114215925957179498

https://github.com/pixelfed/pixelfed/releases/tag/v0.12.5

https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

Details

Source: Mitre, NVD

Published: 2025-03-25

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00023