{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33035", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.209Z", "datePublished": "2026-03-20T05:08:31.540Z", "dateUpdated": "2026-03-20T15:40:13.134Z"}, "containers": {"cna": {"title": "Unauthenticated Reflected XSS via innerHTML in AVideo", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv"}, {"name": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:09:03.649Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-wfq5-qgqp-hvhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T15:39:55.846227Z", "id": "CVE-2026-33035", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T15:40:13.134Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0."}], "id": "CVE-2026-33035", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:16.103", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T06:21:46.266692+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version 26.0 or later."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The affected vendor is WWBN and the product is AVideo. All installations running version 25.0 or earlier are vulnerable; the issue is fixed in version 26.0 and later.", "description_and_impact": "In WWBN AVideo versions 25.0 and below an unauthenticated attacker can trigger a reflected XSS vulnerability. URL parameters are forwarded through PHP's json_encode() into a JavaScript function that renders the data via innerHTML, bypassing proper encoding. This flaw allows the attacker to inject arbitrary JavaScript that runs with the victim\u2019s browser privileges. The primary impact is remote code execution, enabling session cookie theft, account takeover, credential phishing, propagation of self\u2011propagating scripts, and potential compromise of admin accounts. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score is 5.3, indicating medium severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. The attack can be performed by any unauthenticated user by crafting a malicious URL that includes the vulnerable parameter, then tricking a legitimate user into visiting that URL. Once executed, the attacker can execute JavaScript in the victim\u2019s context and potentially steal sensitive information or compromise higher\u2011privilege accounts."}}}}, "created": "2026-03-20T08:52:30.270376+00:00", "updated": "2026-03-20T10:37:12.035692+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}