CVE-2026-33295
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
Produtos afetados
WWBN · AVideoQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →