PT-2026-57239 · Peertube · Peertube

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-57167

CVSS v4.0

5.1

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions PeerTube versions prior to 8.2.2
Description Server-side-rendered video watch pages embed a schema.org JSON-LD block by processing video metadata through JSON.stringify without escaping less-than, greater-than, or slash characters. This allows an attacker to use a byte sequence that closes a script element to inject arbitrary HTML or JavaScript, which then executes in the instance origin when visitors view the attacker's videos.
Recommendations Update to version 8.2.2.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-57167
GHSA-JXWQ-H9XV-HR28

Affected Products

Peertube