CVE-2026-47694: Stored Cross-Site Scripting in WWBN AVideo Category Descriptions
Vulnerability ID: CVE-2026-47694
CVSS Score: 5.4
Published: 2026-06-04
A Stored Cross-Site Scripting (XSS) vulnerability exists in WWBN AVideo versions up to and including 29.0. Unsanitized category descriptions are stored in the database and subsequently rendered as raw HTML in the Gallery view plugin, allowing low-privileged authenticated users to execute arbitrary JavaScript in the browsers of visiting users.
TL;DR
WWBN AVideo versions <= 29.0 allow authenticated users to achieve Stored XSS by inserting malicious payloads into category descriptions, executing arbitrary JavaScript when other users view the category page.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network
- CVSS Base Score: 5.4 (Medium)
- EPSS Score: 0.00035 (10.83% percentile)
- Impact: Stored Cross-Site Scripting / Session Hijacking
- Exploit Status: Proof-of-Concept Available
- KEV Status: Not Listed
Affected Systems
- WWBN AVideo
-
AVideo: <= 29.0 (Fixed in:
6a6ff1f5bff1904f91f612db9f0da083295392b1)
Code Analysis
Commit: 6a6ff1f
Fix category description rendering to resolve XSS vulnerability by applying HTMLPurifier and htmlentities
Mitigation Strategies
- Upgrade to versions past 29.0
- Restrict category creation and modification privileges to trusted administrative users
- Implement Content Security Policy (CSP) headers that restrict inline script execution (e.g., script-src 'self')
Remediation Steps:
- Verify the installed WWBN AVideo application version
- If the version is <= 29.0, update the source code to the latest release or apply the patch in commit 6a6ff1f5bff1904f91f612db9f0da083295392b1
- Examine database categories for malicious scripts inside the
descriptioncolumn in the category table
References
Read the full report for CVE-2026-47694 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)