Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 25, 2026
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
CVE-2026-33683
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xss_esc() function entity-encodes input before strip_specific_tags() can match dangerous HTML tags, and html_entity_decode() on output reverses the encoding, restoring the raw malicious HTML. Commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-ghx5-7jjg-q2j7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33683ghsaADVISORY
- github.com/WWBN/AVideo/commit/7cfdc380dae1e56bbb5de581470d9e9957445df0ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-ghx5-7jjg-q2j7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.