PatchSiren cyber security CVE debrief
CVE-2026-57167 Chocobozzz CVE debrief
PeerTube, an ActivityPub-federated video streaming platform, had a vulnerability in server-side-rendered video watch pages prior to version 8.2.2. The platform embeds a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence that closes a script element to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This issue is fixed in version 8.2.2. Administrators and users of PeerTube instances should be aware of this vulnerability, as it could allow attackers to inject arbitrary HTML or JavaScript.
- Vendor
- Chocobozzz
- Product
- PeerTube
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of PeerTube instances should be aware of this vulnerability, as it could allow attackers to inject arbitrary HTML or JavaScript that executes in the instance origin for visitors to the attacker's videos. This vulnerability requires attention from PeerTube instance administrators, as well as users who may be affected by the vulnerability.
Technical summary
The vulnerability exists in the server-side-rendered video watch pages of PeerTube, where a schema.org JSON-LD block is embedded using JSON.stringify-ing video metadata without proper escaping. This allows an attacker to inject arbitrary HTML or JavaScript by providing a specially crafted video metadata value. The vulnerability requires a low-privileged user to exploit and can be fixed by updating PeerTube to version 8.2.2 or later.
Defensive priority
Medium priority for PeerTube instance administrators, as the vulnerability requires a low-privileged user to exploit and can be mitigated by updating to version 8.2.2 or later.
Recommended defensive actions
- Update PeerTube to version 8.2.2 or later
- Review and monitor video watch pages for suspicious activity
- Implement additional security measures, such as input validation and content security policy
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T17:17:01.430Z and last modified on 2026-07-10T18:56:43.823Z. The vulnerability exists in PeerTube versions prior to 8.2.2. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the vulnerability's existence and impact within their environments.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:01.430Z and has not been modified since then.