CVE-2026-41063

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d	Patch
https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j	Exploit Mitigation Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc	Exploit Mitigation Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

24 Apr 2026, 15:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wwbn:avideo::::::::
First Time		Wwbn Wwbn avideo
References	~~() https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d -~~	() https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d - Patch
References	~~() https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf -~~	() https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j - Exploit, Mitigation, Vendor Advisory
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc - Exploit, Mitigation, Vendor Advisory

22 Apr 2026, 19:17

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc -

22 Apr 2026, 00:16

Type	Values Removed	Values Added
Summary	(en) WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.	(en) WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

21 Apr 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-21 23:16

Updated : 2026-04-24 15:08

NVD link : CVE-2026-41063

Mitre link : CVE-2026-41063

CVE.ORG link : CVE-2026-41063

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10