PHP
CVE-2026-33035
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
AVideo contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution.
Root Cause
The vulnerability is caused by two issues working together:
1. Source: Unescaped user input passed to JavaScript (videoNotFound.php)
File: view/videoNotFound.php line 49
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
}PHP's json_encode() with default flags only escapes quotes (" → \") and backslashes. It does NOT escape HTML special characters (<, >, /). The resulting string contains raw HTML tags that are passed directly to JavaScript.
2. Sink: innerHTML renders HTML tags as executable DOM (script.js)
File: view/js/script.js
function avideoAlertInfo(msg) { // line ~1891
avideoAlert("", msg, 'info'); // calls ↓
}
function avideoAlert(title, msg, type) { // line ~1270
avideoAlertHTMLText(title, msg, type); // calls ↓
}
function avideoAlertHTMLText(title, msg, type) { // line ~1451
var span = document.createElement("span");
span.innerHTML = msg; // line 1464 - XSS SINK
swal({ content: span });
}innerHTML parses the string as HTML. Any <img>, <svg>, or other HTML tags with event handlers are instantiated as real DOM elements, triggering JavaScript execution.
Data Flow
URL parameter (?404ErrorMsg=PAYLOAD)
→ $_REQUEST['404ErrorMsg']
→ json_encode() ← does NOT escape < > /
→ avideoAlertInfo()
→ avideoAlert()
→ avideoAlertHTMLText()
→ span.innerHTML = msg ← renders HTML tags, executes JS---
Proof of Concept
https://localhost/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)><img width="1918" height="1035" alt="image" src="https://github.com/user-attachments/assets/20077ce2-5b49-4bd3-a7df-ab48be786cc1" />
The page renders:
avideoAlertInfo("<img src=x onerror=alert(document.domain)>");Which flows to span.innerHTML = "<img src=x onerror=alert(document.domain)>". The browser creates an <img> element, src=x fails to load, onerror fires alert(document.domain).
Affected Code
| File | Line | Issue |
|---|---|---|
view/videoNotFound.php | 49 | json_encode() does not escape < > for HTML context |
view/js/script.js | 1464 | span.innerHTML = msg renders user input as HTML |
view/js/script.js | 1282 | span.innerHTML = msg in avideoAlertWithCookie() |
view/js/script.js | 1335 | span.innerHTML = __(msg,true) in avideoConfirm() |
view/js/script.js | 1358 | span.innerHTML = msg in avideoAlertOnceForceConfirm() |
The innerHTML sink exists in 4 functions. Any future code that passes user input to avideoAlertInfo(), avideoAlertWarning(), avideoAlertDanger(), or avideoAlertSuccess() will create additional XSS vectors.
Remediation
Fix 1: Escape HTML in PHP (source fix)
// view/videoNotFound.php line 49
// BEFORE (vulnerable):
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
// AFTER (fixed):
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg'], JSON_HEX_TAG | JSON_HEX_AMP) . ');';JSON_HEX_TAG converts < → \u003C and > → \u003E, preventing HTML injection.
Fix 2: Use textContent instead of innerHTML (sink fix, recommended)
// view/js/script.js - all alert functions
// BEFORE (vulnerable):
span.innerHTML = msg;
// AFTER (fixed):
span.textContent = msg;textContent treats the string as plain text - HTML tags are displayed literally, never parsed or executed.
Fix 3: Add Content-Security-Policy header (defense in depth)
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'Impact
- Session hijacking - steal
PHPSESSIDcookie (not HttpOnly by default) - Account takeover - use stolen session to change password or email
- Phishing - inject a realistic login form inside the SweetAlert modal
- Worm propagation - inject self-spreading payloads via comments/messages
- Admin compromise - send crafted link to admin, steal session, gain full control
AnalysisAI
Reflected XSS in AVideo's error message handling allows unauthenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious code through a URL parameter that bypasses json_encode() filtering. An attacker can craft a malicious link to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites. A patch is available.
Technical ContextAI
Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.
RemediationAI
A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-wfq5-qgqp-hvhv