WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
PUBLISHED5.2CWE-79
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
Problem type
Affected products
WWBN
AVideo
< 26.0 - AFFECTED
References
https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv
https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv
https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833
https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833
GitHub Security Advisories
GHSA-gc3m-4mcr-h3pv
AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php
https://github.com/advisories/GHSA-gc3m-4mcr-h3pvSummary
WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page.
Details
At line 59 of the affected file, the following PHP code constructs a JavaScript function call:
downloadURLOrAlertError(url, {}, '<?php echo $video['clean_title']; ?>.' + format, progress);
The clean_title value is echoed verbatim inside a single-quoted JavaScript string literal. No JavaScript-context escaping is applied, such as wrapping with json_encode or htmlspecialchars with appropriate flags. Because the value sits inside a JS string delimited by single quotes, any input containing a single quote character allows an attacker to terminate the string prematurely and inject arbitrary JavaScript expressions. The clean_title field is derived from user-supplied video title input, meaning any user with video creation or editing privileges can craft a malicious title. The injected script executes in the security context of whatever user loads the download page for that video, which may include administrators or authenticated users with elevated privileges.
PoC
import requests
target = "https://example.com"
login_url = f"{target}/user"
upload_url = f"{target}/video/addNew"
session = requests.Session()
session.post(login_url, data={
"user[user]": "attacker",
"user[pass]": "attackerpassword"
})
malicious_title = "');alert(document.cookie);//"
session.post(upload_url, data={
"title": malicious_title,
"description": "poc"
})
After the video is created, navigate to:
https://example.com/plugin/CDN/downloadButtons.php?videos_id=<TARGET_VIDEO_ID>
The rendered page will contain:
downloadURLOrAlertError(url, {}, '');alert(document.cookie);//.' + format, progress);
Impact
Any user who can create or edit a video can store malicious JavaScript that will execute in the browser of any other user who visits the download page for that video. This includes scenarios where an attacker with a low-privilege account targets administrator sessions. Successful exploitation enables session cookie theft, credential harvesting, and actions performed on behalf of the victim within the application. Because the payload is stored server-side and triggers without further attacker interaction, all users who access download pages for attacker-controlled videos are at risk.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-33295Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-33295",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-03-22T17:00:55.697Z",
"dateReserved": "2026-03-18T18:55:47.427Z",
"datePublished": "2026-03-22T17:00:55.697Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-03-22T17:00:55.697Z"
},
"title": "AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php",
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue."
}
],
"affected": [
{
"vendor": "WWBN",
"product": "AVideo",
"versions": [
{
"version": "< 26.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv",
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833",
"name": "https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}