cbcvebase.
CVE-2026-50183
published 2026-06-04

CVE-2026-50183: WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section # Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI…

medium
WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

# Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

## Summary

A stored Cross-Site Scripting vulnerability (CWE-79; chained CWE-829, Inclusion of Functionality from Untrusted Control Sphere) in the AVideo YouTubeAPI plugin renders the `snippet.title` field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set by the YouTube video uploader (anyone in the world) and is treated by AVideo as trusted content. A YouTube uploader who controls a video matching the operator's configured query injects HTML into the AVideo homepage by setting their video's title to a JavaScript-bearing string; the payload then executes in the browser of every visitor who loads any page that renders the gallery.

## Details

`plugin/YouTubeAPI/YouTubeAPI.php::listVideos()` fetches search results from the YouTube Data API and stores the `snippet.title` field unchanged inside a `YPTvideoObject`:

```php
// plugin/YouTubeAPI/YouTubeAPI.php (listVideos excerpt)
$searchResponse = $youtube->search->listSearch(
'snippet,contentDetails,statistics', $options
);
foreach ($searchResponse['items'] as $searchResult) {
$vid = new YPTvideoObject(
$searchResult["id"]["videoId"],
$searchResult['snippet']["title"], // uploader-controlled
$searchResult['snippet']["description"],
$searchResult['snippet']["thumbnails"]["high"]["url"],
$searchResult['snippet']["channelTitle"],
"https://www.youtube.com/embed/{$searchResult['id']['videoId']}"
);
$object->videos[] = $vid;
}
```

`plugin/YouTubeAPI/gallerySection.php` then renders the title into three HTML contexts inside each gallery card. Four reflection sites total, three of them completely unprotected:

```php
// plugin/YouTubeAPI/gallerySection.php (foreach body)
$youtubeTitle = $video->title;
...
" title="">
" alt="" ... />

" title="">


```

Sites (i), (iii), and (iv) call no encoder. Si

Affected

1 ranges
VendorProductVersion rangeFixed in
wwbnavideo0 – 29.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.