CVE-2026-33500

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

24 Mar 2026, 18:11

Type	Values Removed	Values Added
First Time		Wwbn Wwbn avideo
CPE		cpe:2.3:a:wwbn:avideo::::::::
References	~~() https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d -~~	() https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j - Exploit, Mitigation, Vendor Advisory
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, la corrección para CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introdujo una clase personalizada ParsedownSafeWithLinks que sanitiza las etiquetas HTML sin procesar `<a rel="nofollow">` e `` en los comentarios, pero deshabilita explícitamente el safeMode de Parsedown. Esto crea un bypass: la sintaxis de enlace markdown `[text](javascript:alert(1))` es procesada por el método inlineLink() de Parsedown, que no pasa por la sanitización personalizada sanitizeATag() (que solo maneja etiquetas HTML sin procesar). Con safeMode deshabilitado, el filtrado de URI `javascript:` incorporado de Parsedown (sanitiseElement()/filterUnsafeUrlInAttribute()) también está inactivo. Un atacante puede inyectar XSS almacenado a través de enlaces markdown en comentarios. El commit 3ae02fa240939dbefc5949d64f05790fd25d728d contiene un parche.</a>

23 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-23 17:16

Updated : 2026-03-24 18:11

NVD link : CVE-2026-33500

Mitre link : CVE-2026-33500

CVE.ORG link : CVE-2026-33500

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10