If you run a peertube instance and have not patched in the past 4 hours, you are way behind and likely have been compromised. The latest patch will help clean up the mess.
See here: https://github.com/Chocobozzz/PeerTube/releases/tag/v8.1.8
@jerry Impressive release with detections and mitigations in the notes. The team did well responding to it.
At this time and age, an SQL injection vulnerability is a clear proof of sloppiness, unless the vulnerability is in the data access library they are using, of course.
There are so many ways to access a database that make impossible that kind of attack that there is no excuse.
It is not something weird or complex; even PHP official documentation explains clearly how to avoid them when they explain how to access a DB.
Let's hope they have learned their lesson and they change all their DB code according to best practices.
We are in 2026, for God's sake.
