CVE-2025-22138 MEDIUM

CVE-2025-22138: Private categories allow suggested edits to be viewed via the queue in @codidact/qpixel

Vendor Codidact

Product qpixel

Weakness CWE-200 · Info exposure

Published January 13, 2025

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

@codidact/qpixel is a Q&A-based community knowledge-sharing software. In affected versions when a category is set to private or limited-visibility within QPixel's admin tools, suggested edits within this category can still be viewed by unprivileged or anonymous users via the suggested edit queue. This issue has not yet been patched and no workarounds are available. Users are advised to follow the development repo for updates. ### Patches Not yet patched. ### Workarounds None available. Private or limited-visibility categories should not be considered ways to store sensitive information. ### References Internal: [SUPPORT-114](https://codidact.atlassian.net/issues/SUPPORT-114)

Key dates

02Disclosure timeline

January 13, 2025 CVE published

January 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-22138

Related vulnerabilities

CVE-2025-22138: Private categories allow suggested edits to be viewed via the queue in @codidact/qpixel

01Description

02Disclosure timeline

03References

04Related CVE