Skip to main content

Avideo CVE-2026-33683

| EUVDEUVD-2026-14494 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-23 GitHub_M GHSA-ghx5-7jjg-q2j7
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 23, 2026 - 19:00 euvd
EUVD-2026-14494
Analysis Generated
Mar 23, 2026 - 19:00 vuln.today
CVE Published
Mar 23, 2026 - 18:41 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xss_esc() function entity-encodes input before strip_specific_tags() can match dangerous HTML tags, and html_entity_decode() on output reverses the encoding, restoring the raw malicious HTML. Commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contains a patch.

AnalysisAI

WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. A patch is available via commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, and the vulnerability has been formally disclosed through GitHub Security Advisory GHSA-ghx5-7jjg-q2j7.

Technical ContextAI

The vulnerability exists in WWBN AVideo (cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*), an open-source video platform, and stems from a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) defect in the sanitization pipeline. The root cause is a critical order-of-operations flaw where the xss_esc() function entity-encodes HTML entities before strip_specific_tags() can identify and remove dangerous HTML tags. When output is rendered, html_entity_decode() reverses the entity encoding, restoring the raw malicious HTML and JavaScript that was never actually stripped. This chain of events creates a window for stored XSS attacks where attacker-controlled data persists in the database and executes in victim browsers without proper sanitization.

RemediationAI

Upgrade WWBN AVideo to a version that includes the patch from commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 or any subsequent release containing this fix. Consult the vendor repository (https://github.com/WWBN/AVideo/commit/7cfdc380dae1e56bbb5de581470d9e9957445df0) for the exact patched version number. In the interim, if immediate upgrading is not possible, restrict the ability of untrusted users to edit their profile "about" field through role-based access controls, disable the profile feature entirely for non-administrative users, or implement a strict content security policy (CSP) header that blocks inline script execution. Additionally, audit existing user profiles for suspicious JavaScript or HTML content and consider clearing the "about" field for accounts that may have been compromised.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-33683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy