Untriaged
Permalink
CVE-2026-57167
5.1 MEDIUM
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): Passive (P)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): Low (L)
- Subsequent System Impact Integrity (SI): Low (L)
- Subsequent System Impact Availability (SA): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): Passive (P)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Low (L)
- Modified Subsequent System Impact Integrity (MSI): Low (L)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
- Exploit Maturity (E): Not Defined (X)
Activity log
- Created suggestion
PeerTube: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2.
References
-
https://github.com/Chocobozzz/PeerTube/security/advisories/GHSA-jxwq-h9xv-hr28 x_refsource_CONFIRM
-
https://github.com/Chocobozzz/PeerTube/releases/tag/v8.2.2 x_refsource_MISC
Affected products
PeerTube
- ==< 8.2.2
Matching in nixpkgs
pkgs.peertube
Free software to take back control of your videos
Package maintainers
-
@eljamm Fedi Jamoussi <fedi.jamoussi@protonmail.ch>
-
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
-
@Izorkin Yurii Izorkin <Izorkin@gmail.com>
-
@immae Ismaël Bouya <ismael@bouya.org>
-
@ethancedwards8 Ethan Carter Edwards <ethan@ethancedwards.com>
-
@stevenroose Steven Roose <github@stevenroose.org>
-
@phanirithvij Phani Rithvij <phanirithvij2000@gmail.com>
-
@haruki7049 haruki7049 <tontonkirikiri@gmail.com>