Back to overview

CVE-2026-57167

MEDIUM
5.1
CVSS 4.0
Description
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2.

Metadata

CVE ID
CVE-2026-57167
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-24 01:47 UTC
Published
2026-07-10 16:37 UTC
Last updated
2026-07-10 17:42 UTC
Primary CWE
CWE-80
CWE-80: Improper Neutralization of Script-Related HTML Tags …
Vendor / Product
Chocobozzz / PeerTube
Sources
cve.org  ·  NVD

Severity & Metrics

5.1 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Chocobozzz PeerTube < 8.2.2
Weakness (CWE)
CWESourceDescription
CWE-80 cna CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
References (3)
Back to overview