DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33499: CVE-2026-33499: Reflected Cross-Site Scripting in WWBN AVideo Password Forms

#security #cve #cybersecurity

CVE-2026-33499: Reflected Cross-Site Scripting in WWBN AVideo Password Forms

Vulnerability ID: CVE-2026-33499
CVSS Score: 6.1
Published: 2026-03-20

WWBN AVideo versions up to and including 26.0 suffer from a reflected Cross-Site Scripting (XSS) vulnerability. The application fails to sanitize the unlockPassword parameter in password-protected page templates, allowing unauthenticated attackers to execute arbitrary JavaScript in a victim's browser context.

TL;DR

Unsanitized unlockPassword parameter in AVideo <= 26.0 allows unauthenticated reflected XSS, enabling session hijacking and account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 6.1
  • Impact: Session Hijacking, Account Takeover
  • Exploit Status: Proof of Concept Available
  • CISA KEV: Not Listed

Affected Systems

  • WWBN AVideo (formerly YouPHPTube)
  • AVideo: <= 26.0 (Fixed in: Post-26.0 (Commit f154167251))

Code Analysis

Commit: f154167

Fix Reflected XSS in view/forbiddenPage.php and view/warningPage.php by adding htmlspecialchars sanitization.

Exploit Details

  • Context Report PoC: Zero-interaction execution payload using autofocus and onfocus attributes within the unlockPassword parameter.

Mitigation Strategies

  • Update AVideo software to a release subsequent to version 26.0.
  • Implement Web Application Firewall (WAF) rules to filter malicious characters in the unlockPassword parameter.
  • Deploy a strict Content Security Policy (CSP) to restrict inline script execution and limit external script sources.

Remediation Steps:

  1. Identify the current version of the WWBN AVideo deployment.
  2. Download the latest release or apply commit f154167251c9cf183ce09cd018d07e9352310457 manually to the affected template files.
  3. Verify the patch by attempting to inject a benign payload (e.g., " onfocus="console.log(1)) and confirming it is properly entity-encoded in the HTTP response.
  4. Review web application logs for historical indicators of compromise related to this specific query parameter.

References

Read the full report for CVE-2026-33499 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)