Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.
Published: 2026-03-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling arbitrary script execution in victim browsers
Action: Immediate Patch
AI Analysis

Impact

A custom sanitization class was added to WWBN AVideo to filter raw HTML tags in comments, but the class disables Parsedown’s safe mode. This turns off the built‑in ‘javascript:’ URI filter, allowing a markdown link such as [text](javascript:alert(1)) to be processed and stored unchanged. When a user views the comment, the browser executes the injected script, giving the attacker the ability to run arbitrary code in the victim’s session. The vulnerability is a classic stored XSS (CWE‑79) that can lead to session hijacking, defacement, or theft of sensitive data.

Affected Systems

WWBN AVideo, all releases up to and including version 26.0, are affected. The issue resides in the comment handling subsystem and impacts every instance that uses the default comment moderation in those releases.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while an EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in CISA’s KEV catalog, so no known exploits exist yet. The likely attack vector is through social or spam comment posting; an attacker only needs the ability to add a comment to a publicly visible page. Once the malicious markdown link is stored, any subsequent viewer of the page will be exposed to the injected script, making the damage immediate for each visitor.

Generated by OpenCVE AI on March 24, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch contained in commit 3ae02fa240939dbefc5949d64f05790fd25d728d to remove the unsafe markdown link handling logic.
  • Upgrade AVideo to a version released after this patch or otherwise ensure that comments are sanitized to disallow 'javascript:' URLs.
  • If upgrading is not immediately possible, restrict comment posting to trusted users or disable Markdown parsing for comment fields to mitigate injection.

Generated by OpenCVE AI on March 24, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72h5-39r7-r26j AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
History

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.
Title AVideo Vulnerable to Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:39:33.796Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33500

cve-icon Vulnrichment

Updated: 2026-03-24T17:39:22.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T17:16:51.340

Modified: 2026-03-24T18:11:11.797

Link: CVE-2026-33500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:26Z

Weaknesses