CVE-2026-33499Cross-site Scripting in Avideo

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 98.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
Latest updateMar 20
PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php2026-03-20
OSV
AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php2026-03-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-33499 Impact, Exploitability, and Mitigation Steps | Wiz