PT-2026-57239 · Peertube · Peertube
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-57167
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
PeerTube versions prior to 8.2.2
Description
Server-side-rendered video watch pages embed a schema.org JSON-LD block by processing video metadata through JSON.stringify without escaping less-than, greater-than, or slash characters. This allows an attacker to use a byte sequence that closes a script element to inject arbitrary HTML or JavaScript, which then executes in the instance origin when visitors view the attacker's videos.
Recommendations
Update to version 8.2.2.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Peertube