Avideo
CVE-2026-27568
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., javascript:) before rendering Markdown, and enable Parsedown Safe Mode.
AnalysisAI
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Avideo. WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (inc
RemediationAI
A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-rcqw-6466-3mv7