CVE-2026-27568Cross-site Scripting in Avideo

CWE-79Cross-site Scripting7 documents4 sources
Severity
5.4MEDIUMNVD
NVD5.1GHSA5.1OSV5.1
EPSS
0.0%
top 98.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedFeb 24
Latest updateMar 20

Description

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (inc

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages3 packages

NVDwwbn/avideo< 21.0+1
Packagistwwbn/avideo< 21.0+1
CVEListV5wwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization2026-03-20
OSV
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization2026-03-20
GHSA
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection2026-02-20
OSV
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection2026-02-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-27568 Impact, Exploitability, and Mitigation Steps | Wiz