DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27568: Comments That Kill: Inside the AVideo Stored XSS (CVE-2026-27568)

#security #cve #cybersecurity

Comments That Kill: Inside the AVideo Stored XSS (CVE-2026-27568)

Vulnerability ID: CVE-2026-27568
CVSS Score: 5.4
Published: 2026-02-20

In the world of web security, few things are as timeless as Cross-Site Scripting (XSS). It’s the cockroach of vulnerabilities—it survives nuclear wars and framework rewrites. CVE-2026-27568 represents a classic failure in the 'sanitize your inputs' department within WWBN AVideo, a popular open-source video platform. By trusting a Markdown parser's default configuration, the developers inadvertently allowed attackers to turn the comment section into a weaponized payload delivery system. This report dives deep into how a missing boolean flag in a PHP library allowed javascript: URIs to slip past the goalie, leading to session hijacking and potential administrative takeover.

TL;DR

A Stored XSS vulnerability exists in WWBN AVideo versions prior to 21.0. The application uses the Parsedown library to render user comments but failed to enable 'Safe Mode'. This allows authenticated attackers to inject malicious JavaScript via Markdown links (e.g., [Click Me](javascript:...)). When an administrator or other user clicks the link, the script executes, leading to session cookie theft and account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (Stored XSS)
  • CVSS v4.0: 5.1 (Medium)
  • Impact: Session Hijacking, Privilege Escalation
  • Library: Parsedown 1.7.4
  • KEV Status: Not Listed

Affected Systems

  • WWBN AVideo < 21.0
  • AVideo: < 21.0 (Fixed in: 21.0)

Code Analysis

Commit: ade348e

Fix Stored XSS by enabling Parsedown SafeMode

--- a/objects/functionsSecurity.php
+++ b/objects/functionsSecurity.php
@@ -118,6 +118,8 @@
 function markDownToHTML($text) {
     $parsedown = new Parsedown();
+    $parsedown->setSafeMode(true);
+    $parsedown->setMarkupEscaped(true);
     $html = $parsedown->text($text);
     return $html;
 }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Input Sanitization
  • Output Encoding
  • Content Security Policy (CSP)

Remediation Steps:

  1. Upgrade AVideo to version 21.0 or later immediately.
  2. If upgrading is impossible, manually patch objects/functionsSecurity.php to enable setSafeMode(true) on the Parsedown object.
  3. Implement a strict Content Security Policy (CSP) to block inline JavaScript execution (script-src 'self') and restrict external connections.

References

Read the full report for CVE-2026-27568 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)