EUVD-2026-19879

| CVE-2026-39367 MEDIUM
2026-04-07 GitHub_M GHSA-rqp3-gf5h-mrqx
5.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19879
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
CVE Published
Apr 07, 2026 - 19:22 nvd
MEDIUM 5.4

Tags

XSS

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.

Analysis

Stored cross-site scripting (XSS) in WWBN AVideo 26.0 and prior allows authenticated users with upload permissions to inject malicious JavaScript into EPG (Electronic Program Guide) XML files, which executes in the browsers of unauthenticated visitors to the public EPG page without sanitization. Attackers can exploit this to hijack sessions and takeover accounts of any user viewing the compromised EPG. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +27
POC: 0

Share

EUVD-2026-19879 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy