VYPR
` closes the `href` attribute, closes the `` element, and injects a fresh ``) to guarantee a fulltext hit.\n\nThe AVideo Layout plugin (`plugin/Layout/Layout.php:611`, enabled by default) runs `Layout::organizeHTML()` over the final HTML, extracts every inline `]*>(.*)` block via regex, and concatenates their inner contents into one trailing `` is therefore moved out of the original `href` context and into a clean executable script block; the visible pagination markup retains only the leftover `&search=\">` bytes.\n\n**Affected product:** AVideo (WWBN), API + YouTubeAPI + Layout plugins\n**Tested version:** master branch, commit 122b184 (snapshot dated 2026-05-22)\n\n## PoC\n\nThe AVideo deployment must have the YouTubeAPI plugin enabled with the default `showGallerySection=true`. The payload also needs to satisfy the fulltext `MATCH(v.title) AGAINST` gate that `Video::getVideo()` adds when `$_GET['search']` is set: at least one video in the corpus must have a title containing one of the payload's tokens. In the live confirmation a video titled `Tutorial about script error alerts` satisfied the gate via the words `script` and `alert`. Seeding the payload with the common word `video` guarantees a hit on any realistic AVideo deployment, since `video` appears in nearly every video title.\n\nOpen the following URL in any browser. No authentication, no session cookie, no prior interaction with the site is required:\n\n```\nhttps://avideo.example/?search=video%22%3E%3Cscript%3Ealert(1337)%3C%2Fscript%3E&page=2\n```\n\nThe browser fires an `alert(1337)` modal dialog as soon as the homepage finishes rendering. The injected `
← All advisories
Medium severity6.1GHSA Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

CVE-2026-50182

Description

Unauthenticated XSS in AVideo YouTubeAPI plugin allows attackers to inject JavaScript via the 'search' parameter in pagination links.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated XSS in AVideo YouTubeAPI plugin allows attackers to inject JavaScript via the 'search' parameter in pagination links.

Vulnerability

A reflected Cross-Site Scripting vulnerability (CWE-79) exists in the AVideo YouTubeAPI plugin. The $_GET['search'] query parameter is directly concatenated into the href attribute of pagination links within plugin/YouTubeAPI/gallerySection.php (lines 67 and 74) without proper sanitization or encoding. This affects AVideo versions where the YouTubeAPI plugin is enabled with showGallerySection=true.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a URL containing a malicious payload in the search parameter, such as ">. When a victim clicks this crafted URL, the injected script is executed in the victim's browser. This requires the YouTube API call to return a pagination token and the gallery section to be rendered.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser session. This can lead to session hijacking, credential theft, or other malicious actions, depending on the JavaScript payload and the victim's privileges within the AVideo application.

Mitigation

The vulnerability is fixed in AVideo by applying htmlspecialchars and urlencode to the search parameter and using intval for the page number in plugin/YouTubeAPI/gallerySection.php [4]. The fixed version is available as of commit f50fc033b7adb36f1ffd6640e7826468bdafdec3 [4].

References
  1. Improve URL encoding for pagination links in gallerySection.php · WWBN/AVideo@f50fc03

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
f50fc033b7ad

Improve URL encoding for pagination links in gallerySection.php

https://github.com/wwbn/avideoDaniel NetoMay 28, 2026via ghsa-ref
commit
1 file changed · +3 3
  • plugin/YouTubeAPI/gallerySection.php+3 3 modified
    @@ -64,14 +64,14 @@
         }
         if($_GET['page'] > 1 && !empty($object->prevPageToken)){
         ?>
-        <a href="<?php echo "{$global['webSiteRootURL']}page/".($_GET['page']-1)."?pageToken={$object->prevPageToken}&search=".(@$_GET['search']); ?>" class="btn btn-primary btn-sm pull-left">
+        <a href="<?php echo htmlspecialchars("{$global['webSiteRootURL']}page/".(intval($_GET['page'])-1)."?pageToken=".urlencode($object->prevPageToken)."&search=".urlencode(@$_GET['search']), ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?>" class="btn btn-primary btn-sm pull-left">
             <i class="fas fa-angle-double-left"></i> <?php echo __("Previous"); ?>
         </a>
         <?php
         }
         if(!empty($object->nextPageToken)){
         ?>
-        <a href="<?php echo "{$global['webSiteRootURL']}page/".($_GET['page']+1)."?pageToken={$object->nextPageToken}&search=".(@$_GET['search']); ?>" class="btn btn-primary btn-sm pull-right">
+        <a href="<?php echo htmlspecialchars("{$global['webSiteRootURL']}page/".(intval($_GET['page'])+1)."?pageToken=".urlencode($object->nextPageToken)."&search=".urlencode(@$_GET['search']), ENT_QUOTES | ENT_HTML5, 'UTF-8'); ?>" class="btn btn-primary btn-sm pull-right">
             <?php echo __("Next"); ?> <i class="fas fa-angle-double-right"></i>
         </a>
         <?php
@@ -80,4 +80,4 @@
     </div>
     <?php
 }
-?>
\ No newline at end of file
+?>

Vulnerability mechanics

Root cause

"The `$_GET['search']` parameter is directly embedded into the `href` attribute of pagination links without proper sanitization."

Attack vector

An unauthenticated attacker crafts a URL containing a malicious payload in the `search` query parameter. This payload, such as `"><script>alert(1337)</script>`, is injected into the `href` attribute of pagination links. The AVideo Layout plugin then extracts and executes this script in the victim's browser when the page is rendered [ref_id=1]. A precondition is that the `search` parameter must trigger a full-text search that returns results, which can be achieved by including common words like 'video' in the search query [ref_id=1].

Affected code

The vulnerability exists in `plugin/YouTubeAPI/gallerySection.php` at lines 67 and 74, where the `$_GET['search']` parameter is directly concatenated into the `href` attribute of the previous and next page links. The AVideo Layout plugin, specifically `plugin/Layout/Layout.php`, is also involved as it reorganizes HTML and extracts script blocks [ref_id=1].

What the fix does

The patch addresses the vulnerability by applying `htmlspecialchars` and `urlencode` to the `$_GET['search']` parameter before it is embedded in the `href` attribute of pagination links [patch_id=4828895]. This sanitization prevents the injected script from being interpreted as executable code by the browser. Additionally, the page number is explicitly cast to an integer using `intval()` to prevent potential type juggling issues.

Preconditions

  • configThe YouTubeAPI plugin must be enabled with `showGallerySection=true`.
  • inputThe `search` GET parameter must be present and contain a payload that can satisfy the `Video::getVideo()` full-text search condition.

Reproduction

Open the following URL in a browser: `https://avideo.example/?search=video%22%3E%3Cscript%3Ealert(1337)%3C%2Fscript%3E&page=2`. An `alert(1337)` modal dialog will appear, confirming the execution of arbitrary JavaScript.

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.