CVE-2026-33295

HIGH EPSS 11.9%
Published Mar 22, 20263mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 4.0
High
Find Similar
Published Mar 22, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.

CVSS Details

Base Score
8.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
wwbnavideo* <26.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833
    Patch