Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.
Published: 2026-03-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS
Action: Apply Patch
AI Analysis

Impact

The flaw resides in AVideo’s view templates, where the unlockPassword request parameter is inserted directly into an HTML input tag without any encoding. By inserting a payload that closes the value attribute and adds JavaScript event handlers, an attacker can force the browser to execute code when a victim clicks a crafted link. This is a classic reflected cross‑site scripting vulnerability (CWE‑79) that can compromise a visitor’s session or steal credentials.

Affected Systems

The vulnerability affects all community editions of WWBN AVideo, specifically versions 26.0 and earlier. The open source platform’s view/forbiddenPage.php and view/warningPage.php files are responsible for rendering the pages, and the faulty code remains until the patch is applied. No third‑party CPEs were listed beyond the generic AVideo CPE.

Risk and Exploitability

The CVSS base score of 6.1 indicates a moderate risk, and the EPSS score of less than 1 % suggests a low chance of current exploitation. The vulnerability is not included in CISA’s KEV catalog. An attacker can exploit it remotely by crafting a URL that supplies a malicious unlockPassword value; the victim must then visit the link. Because the flaw is reflected and unauthenticated, the exploitation effort is low, but the potential impact on confidential user data or session hijacking makes it a priority to address.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to a version that includes the mitigation (apply the commit f154167251c9cf183ce09cd018d07e9352310457 or newer than 26.0).
  • If an upgrade is not immediately possible, edit view/forbiddenPage.php and view/warningPage.php to encode the unlockPassword parameter (for example, using htmlspecialchars) before outputting it into the HTML attribute.
  • Consider disabling the unlockPassword functionality or removing the parameter from public URLs until a patch is available.

Generated by OpenCVE AI on March 24, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7292-w8qp-mhq2 AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.
Title AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T17:42:30.355Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33499

cve-icon Vulnrichment

Updated: 2026-03-23T17:42:14.415Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T17:16:51.180

Modified: 2026-03-24T18:11:56.560

Link: CVE-2026-33499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:27Z

Weaknesses