Medium severity5.4NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026

CVE-2026-41063

Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink() or inlineUrlTag(), allowing javascript: URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
wwbn/avideoPackagist	<= 29.0	—

Affected products

WWBN/Avideo
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Range: <=29.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728dnvdPatchWEB
github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacfnvdPatchWEB
github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26jnvdExploitMitigationVendor AdvisoryWEB
github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hcnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-m7r8-6q9j-m2hcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-33500ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41063ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000