CVE-2026-39367 - Vulnerability Details

- WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.

Published: 2026-04-07

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Electronic Program Guide (EPG) of WWBN AVideo imports XML from a user‑supplied URL and injects title elements directly into the browser page without sanitization or escaping. When a user with upload permission assigns a video the epg_link field to a malicious XML file containing JavaScript in its <title> tags, that script runs in any browser that loads the public EPG page. The injected code can steal session cookies and take over user accounts, representing a classic stored cross‑site scripting flaw. The weakness corresponds to OWASP's CWE‑79.

Affected Systems

All releases of WWBN AVideo version 26.0 and earlier are affected. Users who run these or older versions without the addressed patch are exposed until upgrading to a newer release that sanitizes EPG titles.

Risk and Exploitability

The CVSS score of 5.4 places the flaw in a moderate severity range. No EPSS value or KEV listing is available, but the vulnerability requires only an authenticated upload‑capable user to supply the malicious XML. Once the XML is stored, every unauthenticated visitor to the EPG page becomes a victim, making the attack vector publicly reachable via web browsers. Though server compromise is not required, the potential for widespread account takeover warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest AVideo release (≥27.0) or apply the patch commit e0212add4aad0f1e97758a4b4fdc57df58ce68e8

Generated by OpenCVE AI on April 7, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rqp3-gf5h-mrqx	WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8
https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx

History

Wed, 22 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wwbn:avideo::::::::

Thu, 09 Apr 2026 07:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Tue, 07 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
Title		WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Weaknesses		CWE-79
References		https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8 https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T19:22:07.732Z

Updated: 2026-04-08T17:47:40.548Z

Reserved: 2026-04-06T21:29:17.350Z

Link: CVE-2026-39367

Vulnrichment

Updated: 2026-04-08T17:47:26.181Z

NVD

Status : Analyzed

Published: 2026-04-07T20:16:30.677

Modified: 2026-04-22T18:51:19.380

Link: CVE-2026-39367

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:46:20Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object