Skip to main content

Avideo CVE-2026-27568

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-02-24 security-advisories@github.com GHSA-rcqw-6466-3mv7
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 26, 2026 - 19:57 nvd
Patch available
CVE Published
Feb 24, 2026 - 15:21 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., javascript:) before rendering Markdown, and enable Parsedown Safe Mode.

AnalysisAI

Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Avideo. WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (inc

RemediationAI

A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-27568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy