CVE-2026-33295 | THREATINT

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.

PUBLISHED Reserved 2026-03-18 | Published 2026-03-22 | Updated 2026-03-23 | Assigner GitHub_M

HIGH: 8.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 26.0

affected

References

github.com/...AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv exploit

github.com/...AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv

github.com/...ommit/30cdd825fa5778c1d678c2402be2413b84ee4833

cve.org (CVE-2026-33295)

nvd.nist.gov (CVE-2026-33295)

Download JSON