Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts — all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting vulnerability exists in AVideo versions 25.0 and earlier. User input supplied through a URL parameter is encoded by PHP’s json_encode() and then embedded directly into JavaScript that renders the value via innerHTML, bypassing normal encoding. This allows an unauthenticated attacker to execute arbitrary JavaScript in a victim’s browser, potentially stealing session cookies, hijacking accounts, phishing credentials with injected forms, or propagating malicious payloads.

Affected Systems

The affected product is WWBN AVideo, an open‑source video platform. All releases up to and including 25.0 are vulnerable, and the defect was fixed in version 26.0. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a malicious URL; no privilege is required. Because the bug enables full script execution, the potential damage includes session theft, account takeover, and credential phishing, with significant confidentiality, integrity, and availability risks.

Generated by OpenCVE AI on March 24, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo 26.0 or later to remove the reflected XSS flaw
  • Verify that the PHPSESSID cookie is configured with the HttpOnly attribute to reduce session theft risk
  • Monitor log files and user activity for signs of XSS exploitation until the update is applied

Generated by OpenCVE AI on March 24, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfq5-qgqp-hvhv Unauthenticated Reflected XSS via innerHTML in AVideo
History

Tue, 24 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts — all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.
Title Unauthenticated Reflected XSS via innerHTML in AVideo
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:40:13.134Z

Reserved: 2026-03-17T18:10:50.209Z

Link: CVE-2026-33035

cve-icon Vulnrichment

Updated: 2026-03-20T15:40:03.227Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:16.103

Modified: 2026-03-24T16:30:45.583

Link: CVE-2026-33035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:26Z

Weaknesses