HIGHCVE-2026-33295Published 2026-03-22Modified 2026-03-23CNA GitHub_M

CVE-2026-33295: AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

WWBN / AVideo
< 26.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv
https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833

Metrics