CVE-2026-39367
published 2026-04-07CVE-2026-39367: WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs…
PriorityP429medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.19%
9.4th percentile
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
ghsa·2026-04-08
CVE-2026-39367 [MEDIUM] CWE-79 WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
## Summary
AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's `epg_link` to a malicious XML file whose `` elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
## Details
The vulnerability spans three files in the data flow:
**1. Entry point — `objects/videoAddNew.json.php:117-119`**
The `epg_link` parameter is stored with only a URL format check:
```php
if (empty($_POST['epg_link']) || isValidURL($_POST['epg_link'])) {
$o
OSV
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
osv·2026-04-08
CVE-2026-39367 [MEDIUM] WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
## Summary
AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's `epg_link` to a malicious XML file whose `` elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
## Details
The vulnerability spans three files in the data flow:
**1. Entry point — `objects/videoAddNew.json.php:117-119`**
The `epg_link` parameter is stored with only a URL format check:
```php
if (empty($_POST['epg_link']) || isValidURL($_POST['epg_link'])) {
$o
No detection rules found.
No public exploits indexed.
2026-04-07
Published