Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

An improperly anchored regular expression used to validate video duration strings allows an attacker to prefix a valid timestamp, then append arbitrary HTML or JavaScript. When the crafted duration is stored in the database, it is later rendered without escaping on various pages such as trending videos, playlists, and thumbnail galleries, resulting in stored cross‑site scripting that is executed in the browsers of any site visitor.

Affected Systems

WWBN AVideo versions 29.0 and earlier are affected because the regex at objects\/video.php:918 lacks a terminating anchor. The upstream patch (commit bcba324644df8b4ed1f891462455f1cd26822a45) updates the pattern to include a $ anchor. Administrators who allow users to submit or edit video metadata must be aware that any user capable of providing a duration field could trigger this issue.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to insert or modify a video's duration, which is typically available to account holders who can upload or edit content. Once stored, the malicious payload is served to all visitors who load pages that display the duration, potentially enabling arbitrary script execution in those browsers.

Generated by OpenCVE AI on April 22, 2026 at 06:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the commit bcba324644df8b4ed1f891462455f1cd26822a45 or upgrade to any AVideo release newer than 29.0 that incorporates the fix.
  • If an upgrade is not immediately possible, reject or sanitize duration input that contains characters beyond digits and colons, or enforce stricter validation to match only the exact timestamp format.
  • As a temporary measure, apply HTML escaping to the output of Video::getCleanDuration() on all pages where the duration appears, ensuring any injected markup is neutralized.

Generated by OpenCVE AI on April 22, 2026 at 06:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/video.php:918` uses `/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/` without a `$` end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via `echo Video::getCleanDuration()` on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting. Commit bcba324644df8b4ed1f891462455f1cd26822a45 contains a fix.
Title WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiver
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:14:27.800Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41061

cve-icon Vulnrichment

Updated: 2026-04-22T13:14:19.062Z

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:21.387

Modified: 2026-04-22T14:17:03.970

Link: CVE-2026-41061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses