High severityNVD Advisory· Published Mar 22, 2026· Updated Mar 23, 2026
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
CVE-2026-33295
Description
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 25.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-gc3m-4mcr-h3pvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33295ghsaADVISORY
- github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.