VYPR
` produces `

` in the rendered DOM, which the browser parses as a live script element and executes synchronously. The single half-mitigation at line 57 is the maintainer's evidence of awareness of the attribute-injection risk; the same developer left the other three sinks unprotected.\n\nAVideo additionally caches the YouTube response for `cacheTimeout` seconds (default 3600), so even after the title is changed on YouTube or the video is removed, the AVideo gallery continues to serve the malicious title until the cache expires or is manually flushed.\n\n**Affected product:** AVideo (WWBN), YouTubeAPI plugin\n**Tested version:** master branch, commit 122b184 (snapshot dated 2026-05-22)\n\n## PoC\n\nThe AVideo operator must have the YouTubeAPI plugin enabled (the default after configuring a YouTube Data API key) with `showGallerySection=true` (the default). The attacker controls a YouTube video (uploaded under any free YouTube account) whose title is set to:\n\n```\n\n```\n\nThe attacker arranges for the AVideo operator's configured YouTube search query (the `keyword` plugin setting, typically a channel name or topical phrase) to match the hostile video. The matching condition is the same as a normal YouTube search: a unique phrase in the video's description, a channel name the operator follows, or any query the operator has configured.\n\nAfter AVideo's `cacheTimeout` window elapses (default 3600 seconds) and a fresh `listVideos()` call fetches the malicious title, any visitor opening the AVideo homepage triggers an `alert(2222)` modal dialog as the gallery card renders.\n\nFor deterministic test reproduction, deploy a mock YouTube Data API service that impersonates `www.googleapis.com` and `youtube.googleapis.com` on the AVideo Docker network and returns the malicious title directly. The PoC then reduces to:\n\n```\nhttps://avideo.example/\n```\n\nConfigure the YouTubeAPI plugin in the admin panel (`/plugins`) with any non-empty `developer_key` and any `keyword` value, then load the homepage. The browser fires `alert(2222)` as the gallery section finishes rendering.\n\n## Impact\n\nThis is a Stored XSS vulnerability (CWE-79) in a publicly-rendered HTML context, with the data source under attacker control (CWE-829). Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is impacted: the injected JavaScript runs in the visitor's session under the AVideo origin, reads non-`HttpOnly` cookies, and issues authenticated requests as the visitor. When the visitor is an AVideo administrator, the injected JavaScript performs any admin action (create user, promote to admin, change configuration, install plugin) that uses cookie-based authentication without an additional CSRF token, escalating the bug into full administrative takeover. The payload persists for the duration of `cacheTimeout` (default 3600 seconds) after the malicious title is set on YouTube and survives YouTube removing the hostile video for the same window.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-50183"]},"keywords":"CVE-2026-50183, medium, CWE-79, AVideo YouTubeAPI plugin","mentions":[{"@type":"SoftwareApplication","name":"YouTubeAPI plugin","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"AVideo"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2026-50183","item":"https://portal.vyprsec.ai/cves/CVE-2026-50183"}]}]}
← All advisories
Medium severity4.7NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

CVE-2026-50183

Description

AVideo's YouTubeAPI plugin suffers from stored XSS because it fails to sanitize YouTube video titles, allowing attackers to inject malicious scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AVideo's YouTubeAPI plugin suffers from stored XSS because it fails to sanitize YouTube video titles, allowing attackers to inject malicious scripts.

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in the AVideo YouTubeAPI plugin. The plugin fetches video titles from the YouTube Data API and renders them directly into the homepage gallery markup without proper HTML encoding. This allows any YouTube uploader to inject HTML and JavaScript into the video title, which is then displayed on the AVideo homepage.

Exploitation

An attacker can control a YouTube video's title by uploading a video and setting its title to a JavaScript-bearing string. When an AVideo instance's gallery is configured to display this video, and a user loads a page rendering the gallery, the malicious script embedded in the video title will execute in the user's browser.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user viewing the AVideo homepage gallery. This can lead to session hijacking, information disclosure, or further malicious actions within the user's browser session.

Mitigation

The vulnerability was fixed in commit 7292129eaee5f609beae103b5cb387d55f17b877 on GitHub [4]. The fix involves sanitizing the video title using htmlspecialchars before rendering it in HTML contexts. Users should update to a version of AVideo that includes this commit. No specific version number or release date for the patch is available in the provided references.

References
  1. Sanitize video title and thumbnail attributes for HTML output in gall… · WWBN/AVideo@7292129

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
7292129eaee5

Sanitize video title and thumbnail attributes for HTML output in gallerySection.php

https://github.com/wwbn/avideoDaniel NetoMay 28, 2026via ghsa-ref
commit
1 file changed · +3 3
  • plugin/YouTubeAPI/gallerySection.php+3 3 modified
    @@ -47,13 +47,13 @@
         <?php
         foreach ($object->videos as $video) {
             $youtubeEmbedLink = "{$global['webSiteRootURL']}evideo/".  encryptString(json_encode($video));
-            $youtubeTitle = $video->title;
-            $youtubeThumbs = $video->thumbnails;
+            $youtubeTitle = htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8');
+            $youtubeThumbs = htmlspecialchars($video->thumbnails, ENT_QUOTES | ENT_HTML5, 'UTF-8');
             ?>
             <div class="col-lg-<?php echo 12 / $objGallery->screenColsLarge; ?> col-md-<?php echo 12 / $objGallery->screenColsMedium; ?> col-sm-<?php echo 12 / $objGallery->screenColsSmall; ?> col-xs-<?php echo 12 / $objGallery->screenColsXSmall; ?> galleryVideo fixPadding" style="z-index: <?php echo $zindex--; ?>; min-height: 175px;">
                 <a class="evideo" href="<?php echo $youtubeEmbedLink; ?>" title="<?php echo $youtubeTitle; ?>">
                     <div class="aspectRatio16_9">
-                        <img src="<?php echo $youtubeThumbs; ?>" alt="<?php echo str_replace('"', '', $youtubeTitle); ?>" class="thumbsJPG img img-responsive" />
+                        <img src="<?php echo $youtubeThumbs; ?>" alt="<?php echo $youtubeTitle; ?>" class="thumbsJPG img img-responsive" />
                     </div>
                 </a>
                 <a class="h6 evideo" href="<?php echo $youtubeEmbedLink; ?>" title="<?php echo $youtubeTitle; ?>">

Vulnerability mechanics

Root cause

"The AVideo YouTubeAPI plugin fails to properly sanitize user-controlled YouTube video titles before rendering them in HTML contexts."

Attack vector

An attacker can upload a YouTube video with a malicious title containing HTML or JavaScript. If the AVideo operator's configured YouTube search query matches this video, the malicious title will be fetched and cached by AVideo. When any visitor loads the AVideo homepage, the injected script executes in their browser, potentially leading to administrative takeover if the visitor is an administrator [ref_id=1].

Affected code

The vulnerability exists in `plugin/YouTubeAPI/gallerySection.php`. Specifically, the `snippet.title` field fetched from the YouTube Data API is rendered directly into HTML attributes (`title` and `alt`) and an `<h2>` element body without proper sanitization [ref_id=1].

What the fix does

The patch applies `htmlspecialchars` to the `video->title` and `video->thumbnails` variables before they are output into HTML attributes and element bodies [patch_id=4828894]. This function properly encodes special characters, preventing them from being interpreted as HTML or JavaScript by the browser, thus mitigating the stored XSS vulnerability.

Preconditions

  • configThe YouTubeAPI plugin must be enabled and configured with a YouTube Data API key and a `keyword` search query.
  • inputAn attacker must control a YouTube video whose title contains malicious HTML or JavaScript.
  • inputThe attacker must ensure the malicious video's title matches the AVideo operator's configured `keyword` search query.

Reproduction

Configure the YouTubeAPI plugin with any non-empty `developer_key` and `keyword`. Ensure the AVideo cache for YouTube API results has expired or is flushed. Then, load the AVideo homepage. The browser will display an `alert(2222)` modal dialog as the gallery section renders [ref_id=1].

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.