DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33500: CVE-2026-33500: Stored Cross-Site Scripting via Markdown Parsing Bypass in WWBN AVideo

#security #cve #cybersecurity

CVE-2026-33500: Stored Cross-Site Scripting via Markdown Parsing Bypass in WWBN AVideo

Vulnerability ID: CVE-2026-33500
CVSS Score: 5.4
Published: 2026-03-20

WWBN AVideo versions up to and including 26.0 contain a stored Cross-Site Scripting (XSS) vulnerability. The application utilizes a custom Markdown parsing class that intentionally disables built-in security features, allowing authenticated attackers to inject malicious JavaScript via formatted links. This flaw bypasses previous sanitization efforts introduced to remediate CVE-2026-27568.

TL;DR

An incomplete fix in AVideo <= 26.0 allows authenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting javascript: URIs into Markdown links within video comments.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS v3.1 Score: 5.4
  • Privileges Required: Low (Authenticated)
  • User Interaction: Required
  • Exploit Status: Proof of Concept (PoC)
  • CISA KEV: Not Listed

Affected Systems

  • WWBN AVideo
  • AVideo: <= 26.0 (Fixed in: Commit 3ae02fa240939dbefc5949d64f05790fd25d728d)

Code Analysis

Commit: 3ae02fa

Fix for CVE-2026-33500: Override inlineLink to enforce URI whitelist on Markdown links.

Exploit Details

  • Security Advisory: Proof of Concept demonstrating malicious javascript: URI injection.

Mitigation Strategies

  • Update WWBN AVideo to a version strictly greater than 26.0.
  • Apply commit 3ae02fa240939dbefc5949d64f05790fd25d728d manually if patching the full application is not feasible.
  • Temporarily restrict or disable commenting functionality for untrusted users.
  • Implement WAF rules to inspect comment submissions for Markdown javascript: syntax.

Remediation Steps:

  1. Verify the current version of AVideo deployed in the environment.
  2. Backup the database and application files.
  3. Download and deploy the latest release of AVideo from the official repository.
  4. Execute any required database migrations specified in the release notes.
  5. Scan the existing database comments table for occurrences of ](javascript: to identify any prior exploitation attempts.

References

Read the full report for CVE-2026-33500 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)