CVE-2026-57167
Received Received - Intake

Stored XSS in PeerTube Video Metadata via JSON-LD Injection

Vulnerability report for CVE-2026-57167, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
peertube peertube 8.2.2
chocobozzz peertube to 8.2.1 (exc)
chocobozzz peertube to 8.2.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-57167 vulnerability in PeerTube is a Cross-Site Scripting (XSS) issue that occurs on server-side-rendered video watch pages. The problem arises because a schema.org JSON-LD block is embedded by using JSON.stringify on video metadata without escaping certain characters like less-than (<), greater-than (>), or slash (/). This allows an attacker to inject a byte sequence that prematurely closes the script element (</script>), enabling the injection and execution of arbitrary HTML or JavaScript code within the instance's origin when visitors watch the attacker's videos.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the context of the PeerTube instance. This can lead to unauthorized actions such as stealing user session data, performing actions on behalf of users, defacing the website, or delivering malicious payloads to visitors. Essentially, it compromises the security and integrity of the platform and the safety of its users.

Detection Guidance

This vulnerability involves improper escaping of certain characters in the JSON-LD block embedded in server-side-rendered video watch pages of PeerTube instances prior to version 8.2.2. Detection can focus on identifying instances running vulnerable versions and inspecting video metadata for suspicious script injection patterns.

You can detect the vulnerability by checking the PeerTube version running on your system. Versions prior to 8.2.2 are vulnerable.

To identify potentially malicious payloads, you can search for video metadata containing the byte sequence that closes a script element (e.g., '</script>') in the JSON-LD blocks of video watch pages.

  • Check PeerTube version: Run a command or check the application interface to confirm the version is older than 8.2.2.
  • Use curl or wget to fetch a video watch page and grep for suspicious script-closing sequences in the JSON-LD block, for example:
  • curl -s https://your-peertube-instance/videos/watch/VIDEO_ID | grep -oP '(?<=<script type="application/ld\+json">).*?(</script>)'
  • Search for '</script>' or other suspicious characters in the JSON-LD content that could indicate injection.
Mitigation Strategies

The primary and immediate mitigation step is to upgrade your PeerTube instance to version 8.2.2 or later, where this vulnerability has been fixed.

The fix involves proper escaping of HTML special characters in JSON strings embedded in the HTML output, preventing script injection.

  • Upgrade PeerTube to version 8.2.2 or newer as soon as possible.
  • If immediate upgrade is not possible, restrict access to video watch pages or disable video uploads from untrusted users to reduce exposure.
  • Monitor logs and user-generated content for suspicious script tags or injection attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart