anonhaven
Ad

CVE-2026-33500

MEDIUM CVSS 3.1: 5.4 EPSS 0.01%
Updated Mar 24, 2026
Wwbn
Parameter Value
CVSS 5.4 (MEDIUM)
Affected Versions before 26.0
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Wwbn
Public PoC No

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags).

With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
Required
User action required

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Wwbn Avideo
cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
 <= 26.0

References 2

https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d
security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34740

PHP

6.5

CVE-2026-34739

PHP

6.1

CVE-2026-34738

Wwbn

4.3

CVE-2026-34737

PHP

6.5

CVE-2026-34733

PHP

7.3