High severityNVD Advisory· Published Mar 22, 2026· Updated Mar 23, 2026
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
CVE-2026-33295
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 25.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-gc3m-4mcr-h3pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33295ghsaADVISORY
- github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.