EUVD-2026-14494
GHSA-ghx5-7jjg-q2j7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` function entity-encodes input before `strip_specific_tags()` can match dangerous HTML tags, and `html_entity_decode()` on output reverses the encoding, restoring the raw malicious HTML. Commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contains a patch.
Analysis
WWBN AVideo versions up to and including 26.0 contain a stored cross-site scripting (XSS) vulnerability in the user profile "about" field caused by improper sanitization order of operations. Any registered user can inject arbitrary JavaScript that executes when other users visit their channel page, allowing attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running versions and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today