CVE-2026-33500 — Cross-site Scripting in Avideo

CWE-79 — Cross-site Scripting5 documents4 sources

Severity

5.4MEDIUMNVD

GHSA5.1OSV5.1

EPSS

0.0%

top 89.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 23

Latest updateApr 14

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `` and `` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw H…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0+1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

WWBN AVideo has an incomplete fix for CVE-2026-33500: XSS↗2026-04-14

▶

GHSA

AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization↗2026-03-20

▶

OSV

AVideo - Incomplete Fix for CVE-2026-27568: Stored XSS via Markdown `javascript:` URI Bypasses ParsedownSafeWithLinks Sanitization↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33500 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶