CVE-2026-33295

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv	Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

24 Mar 2026, 17:53

Type	Values Removed	Values Added
First Time		Wwbn Wwbn avideo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
CPE		cpe:2.3:a:wwbn:avideo::::::::
References	~~() https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833 -~~	() https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833 - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv - Exploit, Vendor Advisory
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, WWBN/AVideo contiene una vulnerabilidad de cross-site scripting almacenado en el componente de botones de descarga del plugin CDN. El campo 'clean_title' de un registro de video se interpola directamente en un literal de cadena de JavaScript sin ningún escape, permitiendo a un atacante que puede crear o modificar un video inyectar JavaScript arbitrario que se ejecuta en el navegador de cualquier usuario que visite la página de descarga afectada. La versión 26.0 corrige el problema.

23 Mar 2026, 22:16

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv -

22 Mar 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-22 17:17

Updated : 2026-03-24 17:53

NVD link : CVE-2026-33295

Mitre link : CVE-2026-33295

CVE.ORG link : CVE-2026-33295

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10