Skip to main content

WWBN AVideo CVE-2026-47694

| EUVDEUVD-2026-33304 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-29 GitHub_M GHSA-c8h8-vq34-9fw2
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 14:32 vuln.today

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.

AnalysisAI

Stored cross-site scripting in WWBN AVideo 29.0 and earlier allows an authenticated low-privilege user with category creation or editing rights to persist malicious JavaScript in category descriptions, which executes in any victim's browser upon viewing the Gallery or affected category page. The scope-changed CVSS vector (S:C) reflects that the injected payload crosses from the attacker's session into other users' browser contexts, enabling session hijacking or unauthorized actions on victims' behalf. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-complexity, network-accessible attack path warrants prompt access control review on affected deployments.

Technical ContextAI

AVideo is an open-source PHP-based video platform maintained by WWBN. The vulnerable component is the Gallery view, which retrieves user-supplied category descriptions from the database and renders the category_description field as raw, unsanitized HTML directly into the page output. This violates the output-encoding requirement defined by CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically the stored/persistent variant, where attacker-controlled data is saved server-side and later reflected to other users. The affected product CPE is cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*, covering all versions through 29.0. The advisory explicitly notes this is a distinct sink from previously patched XSS issues in video titles and comments, indicating a pattern of insufficient output encoding across multiple input fields in the application.

RemediationAI

Upstream fix availability is not independently confirmed from the provided data - consult the GitHub Security Advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-c8h8-vq34-9fw2 for a patched release version and upgrade instructions. As an immediate compensating control, restrict category creation and editing permissions to the smallest possible set of trusted administrator accounts; revoking this privilege from general users eliminates the attacker-controlled input path entirely. Deploying a Content Security Policy (CSP) header with a strict script-src directive will limit the impact of any stored payload that reaches end users, though CSP misconfiguration can reduce its effectiveness. Server-side HTML entity encoding or a vetted sanitization library (e.g., HTMLPurifier for PHP) applied to the category_description field at write or render time is the correct permanent fix at the code level.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-47694 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy