CVE-2026-33035Cross-site Scripting in Avideo

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 78.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
Latest updateMar 17
PublishedMar 20

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFou

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

NVDwwbn/avideo< 26.0
Packagistwwbn/avideo25.0

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
Unauthenticated Reflected XSS via innerHTML in AVideo2026-03-17
GHSA
Unauthenticated Reflected XSS via innerHTML in AVideo2026-03-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-33035 Impact, Exploitability, and Mitigation Steps | Wiz