VYPR
← All advisories
Medium severity5.4NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-47694

CVE-2026-47694

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AVideo 29.0 and earlier has a stored XSS in category descriptions rendered as raw HTML in Gallery view, allowing JavaScript execution on viewing.

Vulnerability

AVideo versions 29.0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the category description field. The description is stored from user input via objects/categoryAddNew.json.php and rendered as raw HTML in plugin/Gallery/view/mainAreaCategory.php without output encoding. A user with permission to create or edit categories can inject arbitrary HTML/JavaScript into the description, which executes when another user views the Gallery/category page. This issue is separate from previously fixed XSS in video titles or comments [1].

Exploitation

An attacker needs a user account with category create or edit permissions and the Gallery plugin enabled. The attacker creates or edits a category, sets the description to a payload such as ``, saves it, and assigns at least one video to that category. When any user (including administrators) visits the Gallery/category page, the payload executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to actions performed as the victim, theft of same-origin data, or abuse of administrative UI actions if the victim is an administrator [1].

Mitigation

No patched version is available as of the publication date. The recommended fix is to sanitize category descriptions on input with a strict HTML policy (or store plain text) and encode output. For now, users should restrict category editing to trusted roles and review any existing category descriptions [1].

References
  1. Stored XSS via unescaped Gallery category description

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • WWBN/Avideoinferred2 versions
    <=29.0+ 1 more
    • (no CPE)range: <=29.0
    • (no CPE)range: <=29.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing output encoding of category_description in the Gallery view allows stored cross-site scripting."

Attack vector

An attacker with category creation or edit privileges submits a category description containing JavaScript (e.g. `<img src=x onerror=alert(document.domain)>`) via the `objects/categoryAddNew.json.php` endpoint [ref_id=1]. The payload is stored in the database and later rendered as raw HTML in the Gallery view (`plugin/Gallery/view/mainAreaCategory.php`) without any output encoding [ref_id=1]. When another user (including an administrator) visits the affected Gallery/category page, the JavaScript executes in their browser session, enabling actions such as session hijacking or administrative UI abuse [CWE-79].

Affected code

The vulnerability is in `plugin/Gallery/view/mainAreaCategory.php` where `$videos[0]['category_description']` is rendered without output encoding. The input path is `objects/categoryAddNew.json.php` which calls `setDescription()` in `objects/category.php` and stores the unsanitized value.

What the fix does

The advisory recommends encoding the category description on output using `htmlspecialchars($videos[0]['category_description'], ENT_QUOTES, 'UTF-8')` or, if limited HTML is intended, running the value through HTMLPurifier before storage or rendering [ref_id=1]. No patch has been published as of the advisory date. The fix closes the vulnerability by preventing raw HTML/JavaScript from being interpreted by the browser, treating the description as plain text instead of executable markup.

Preconditions

  • authAttacker must have a user account with permission to create or edit categories
  • configGallery plugin must be enabled
  • inputAt least one video must be assigned to the affected category for the category section to render
  • networkA victim user must visit the Gallery/category page that displays the malicious category

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.