PeerTube - Package Updates

Package Updates

[4.5.1]

• Update PeerTube to 8.0.1
• Full Changelog
• Prevent transcription error when the video has been deleted
• Fix select button style for redundancy
• Fix invalid form after admin configuration update
• Fix alert styling in watch page
• Fix left menu collapse when accessing admin configuration
• Fix config wizard not applying config
• Correctly do not open again welcome modal
• Fix decaching node modules paths of plugins
• Send 401 HTTP code instead of 404 when fetching the HTML page of a password protected video
• More precise date interval (x min ago, x months ago, etc.)

Package Updates

[4.5.2]

• Update PeerTube to 8.0.2
• Full Changelog
• Fix PostgreSQL CPU usage and broken PeerTube instance on instances with a many subscriptions or big federation
• Fix login URL in registration email
• Remove the trailing comma in the plugins package.json files that broke the update/installation process
• Fix broken channel sync if private privacy is removed by a plugin
• Fix restoring My Videos sort after a search

Package Updates

[4.6.1]

• Update PeerTube to 8.1.2
• Full Changelog
• Fix broken thumbnails on account page
• Fix broken initial channel import
• Fix broken root password generation

Package Updates

[4.6.3]

• Update PeerTube to 8.1.4
• Full Changelog
• Don't fetch too big image sizes for thumbnails
• Prevent the player from crashing when the user quits the watch page
• Prevent invalid start/end timecode when cutting the video in studio
• Fix blocklist error when listing many users
• Fix broken transcoding when remote runners is enabled

Package Updates

[4.6.4]

• Update production.yaml.example

Package Updates

[4.6.5]

• Update PeerTube to 8.1.5
• Full Changelog
• Fix infinite loop when processing some GIF images
• Correctly inject custom admin colors in dark theme
• Fix broken player when loading the page in background

Package Updates

[4.6.6]

• Update peertube-plugin-auth-openid-connect to 1.1.0

Package Updates

[4.6.7]

• Update PeerTube to 8.1.6
• Full Changelog
• Follow v8.1.0 IMPORTANT NOTES if you upgrade from PeerTube <= v8.0.2
• Fix SQL injection coming from actor inbox URL when updating actor follow scores. Thanks to Nagarajan Selvaraj Paulmony for reporting this vulnerability
• Reject JSON-LD objects with special properties. Thanks to Mastodon security team for reporting this vulnerability
• Restricts role assignment to administrators only
• Prevent external auth token replay
• Prevent SSRF on import and channel sync
• Stricter rate limit to ask password reset

Package Updates

[4.6.8]

• Update PeerTube to 8.1.7
• Full Changelog
• Fix broken URL import
• Fix user quota check for imports
• Fix removing notifications from muted accounts

Package Updates

[4.6.9]

• Update PeerTube to 8.1.8
• Full Changelog
• We have learned that the SQL injection vulnerability fixed in v8.1.6 has been exploited at scale since at least May 18, 2026 and so before the v8.1.6 release.
• According to our investigation, the attacker exploited this SQL injection to generate a token for the root user and install the peertube-plugin-google-analytics-js plugin. This plugin imports a client script from hxxps://www.googie-anaiytics.com/jquery.ui.js that currently only logs a line in the web browser.
• Automatically remove peertube-plugin-google-analytics-js in v8.1.8
• Invalidate OAuth tokens in v8.1.8 (all users must log in again)
• Add a new user.disable_root_auth config key to disable root token usage
• Remove the plugin from the plugin registry
• Upgrade to v8.1.8 as soon as possible
• Review newly created users and videos
• Review your instance configuration, especially Configuration -> Customization -> JavaScript/CSS
• Review installed plugins