CVE-2026-41063

MEDIUM EPSS 11.9%
Published Apr 21, 20262mo ago · Modified Jun 17, 20262w ago
5.4 CVSS 3.1
Medium
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

CVSS Details

Base Score
5.4
Exploitability
2.3
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
11.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
wwbnavideo* ≤29.0

References 4

  • github.com https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d
    Patch
  • github.com https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j
    ExploitMitigationVendor Advisory
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d
    Patch
  • github.com https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf
    Patch