CVE-2026-33500
published 2026-03-23CVE-2026-33500: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom…
PriorityP427medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.22%
12.2th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
| wwbn | avideo | 0 – 29.0 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
ghsa5.4MEDIUM
osv5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
ghsa·2026-04-14·CVSS 5.4
CVE-2026-33500 [MEDIUM] CWE-79 WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS
### Summary
The incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization.
### Affected Package
- **Ecosystem:** Other
- **Package:** AVideo
- **Affected versions:** = commit 3ae02fa24093
### Details
In `objects/functionsSecurity.php`, the `ParsedownSafeWithLinks` class:
- Overrides `blockMarkup()` -- blocks non-``/`` HTML tags
- Overrides `inlineMarkup()` -- sanitizes `` and `` in raw HTML, including an href whitelist
But the base `Parsedown.php` class has two additional methods that generate `` tags:
- `inlineLink()` (line ~1388) -- processes `[text](u
GHSA
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
ghsa·2026-03-20·CVSS 5.1
CVE-2026-33500 [MEDIUM] CWE-79 AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
## Summary
The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links.
## Details
The orig
OSV
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
osv·2026-03-20·CVSS 5.1
CVE-2026-33500 [MEDIUM] AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization
## Summary
The fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links.
## Details
The orig
No detection rules found.
No public exploits indexed.
2026-03-23
Published