Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Update Patch
AI Analysis

Impact

The vulnerability arises from an incomplete sanitization within AVideo’s Markdown processing. The cleanup function that blocks raw HTML works, but it fails to intercept links built via inlineLink() or inlineUrlTag(). As a result, users can insert markdown links that reference javascript: URLs, which bypass the sanitizer and execute arbitrary script in the browser that visits the page. This could allow an attacker to steal session cookies, deface the site, or conceal phishing content, all without needing elevated privileges beyond content publishing.

Affected Systems

The flaw exists in all AVideo releases up to and including version 29.0. The affected component is the ParsedownSafeWithLinks class, part of the public AVideo distribution from WWBN.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate risk profile. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited exploitation data. The attack vector is likely through user‑generated Markdown content; an attacker could embed a malicious link in posts, comments, or other free‑form fields that render Markdown. If a user with publishing rights can inject the payload, the XSS will trigger when any visitor views the page.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the GitHub commit containing the updated sanitization patch (cae8f0dadbdd962c89b91d0095c76edb8aadcacf) or upgrade to a later AVideo release that includes this fix.
  • If an immediate upgrade is not possible, disable raw HTML parsing or modify the Markdown engine configuration to reject javascript: URLs in links and URL tags until the fix is applied.
  • Review all user‑generated content for suspicious links and remediate any malicious entries to counteract potential exploitation.

Generated by OpenCVE AI on April 22, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
Title WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:07:13.350Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41063

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T23:16:21.663

Modified: 2026-04-22T00:16:28.097

Link: CVE-2026-41063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses