Description
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
Published: 2026-03-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (arbitrary JavaScript execution in users’ browsers)
Action: Immediate Patch
AI Analysis

Impact

WWBN AVideo contains a stored XSS flaw that allows an attacker who can create or modify a video to inject arbitrary JavaScript through the unescaped clean_title field. The injected script is embedded directly into a JavaScript string literal in CDN downloadButtons.php, causing it to run automatically whenever any user accesses the affected download page. The attacker could use the script to steal information from the victim’s browser or hijack the user’s session; these possibilities are inferred from the nature of stored XSS.

Affected Systems

Any deployment of WWBN AVideo using the CDN plugin’s downloadButtons.php with a version earlier than 26.0 is vulnerable. The vulnerability applies to all installations of the open‑source video platform that have not yet applied the patch fixed in release 26.0.

Risk and Exploitability

The CVSS score of 8.2 classifies the flaw as high severity. EPSS is reported as less than 1 %, indicating a low forecasted probability of exploitation, but the presence of stored XSS and lack of a KEV listing do not diminish the potential impact. The likely attack vector is web‑based, requiring the attacker to create or modify a video record through the platform’s interface or API; once the payload is stored, it executes automatically for all visitors to the affected download page.

Generated by OpenCVE AI on March 24, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to version 26.0 or later
  • If an immediate upgrade is not possible, modify CDN downloadButtons.php to escape or sanitize the clean_title value before embedding it into a JavaScript string literal
  • Restrict upload permissions or enforce strict input validation for video titles until the code change is deployed

Generated by OpenCVE AI on March 24, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc3m-4mcr-h3pv AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sun, 22 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
Title AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T21:41:07.505Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33295

cve-icon Vulnrichment

Updated: 2026-03-23T21:33:58.042Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T17:17:09.257

Modified: 2026-03-24T17:53:43.180

Link: CVE-2026-33295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:26Z

Weaknesses