CVE-2026-33295

AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php

Title source: cna

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.

References (2)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv

[X_Refsource_Misc] https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833

View Writeup ZIP pw:eip

Details

CWE

CWE-79

Status published

Products (1)

WWBN/AVideo < < 26.0

Published Mar 22, 2026

Tracked Since Mar 22, 2026