CVE-2026-33035 (GCVE-0-2026-33035)
Vulnerability from cvelistv5 – Published: 2026-03-20 05:08 – Updated: 2026-03-20 15:40
VLAI?
Title
Unauthenticated Reflected XSS via innerHTML in AVideo
Summary
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts — all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33035",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:39:55.846227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:40:13.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c 26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim\u0027s browser. User input from a URL parameter flows through PHP\u0027s json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:09:03.649Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv"
},
{
"name": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b"
}
],
"source": {
"advisory": "GHSA-wfq5-qgqp-hvhv",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Reflected XSS via innerHTML in AVideo"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33035",
"datePublished": "2026-03-20T05:08:31.540Z",
"dateReserved": "2026-03-17T18:10:50.209Z",
"dateUpdated": "2026-03-20T15:40:13.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33035\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T05:16:16.103\",\"lastModified\":\"2026-03-24T16:30:45.583\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim\u0027s browser. User input from a URL parameter flows through PHP\u0027s json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En las versiones 25.0 e inferiores, existe una vulnerabilidad de XSS reflejado que permite a atacantes no autenticados ejecutar JavaScript arbitrario en el navegador de una v\u00edctima. La entrada del usuario de un par\u00e1metro de URL fluye a trav\u00e9s de json_encode() de PHP hacia una funci\u00f3n de JavaScript que lo renderiza mediante innerHTML, omitiendo la codificaci\u00f3n y logrando la ejecuci\u00f3n completa del script. La vulnerabilidad es causada por dos problemas que trabajan juntos: entrada de usuario sin escapar pasada a JavaScript (videoNotFound.php), y innerHTML renderizando etiquetas HTML como DOM ejecutable (script.js). El ataque puede escalarse para robar cookies de sesi\u00f3n, tomar el control de cuentas, suplantar credenciales mediante formularios de inicio de sesi\u00f3n inyectados, propagar cargas \u00fatiles auto-propagantes y comprometer cuentas de administrador \u2014 todo explotando la falta de sanitizaci\u00f3n adecuada de la entrada y la seguridad de las cookies (p. ej., la ausencia de la bandera HttpOnly en PHPSESSID). El problema ha sido solucionado en la versi\u00f3n 26.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"26.0\",\"matchCriteriaId\":\"B468F0CE-E5E7-4607-BD15-B5763C47493E\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33035\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T15:39:55.846227Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T15:40:03.227Z\"}}], \"cna\": {\"title\": \"Unauthenticated Reflected XSS via innerHTML in AVideo\", \"source\": {\"advisory\": \"GHSA-wfq5-qgqp-hvhv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b\", \"name\": \"https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim\u0027s browser. User input from a URL parameter flows through PHP\u0027s json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \\u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T05:09:03.649Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33035\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T15:40:13.134Z\", \"dateReserved\": \"2026-03-17T18:10:50.209Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T05:08:31.540Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-WFQ5-QGQP-HVHV
Vulnerability from github – Published: 2026-03-17 20:05 – Updated: 2026-03-20 21:22
VLAI?
Summary
Unauthenticated Reflected XSS via innerHTML in AVideo
Details
Summary
AVideo contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution.
Root Cause
The vulnerability is caused by two issues working together:
1. Source: Unescaped user input passed to JavaScript (videoNotFound.php)
File: view/videoNotFound.php line 49
if (!empty($_REQUEST['404ErrorMsg'])) {
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
}
PHP's json_encode() with default flags only escapes quotes (" → \") and backslashes. It does NOT escape HTML special characters (<, >, /). The resulting string contains raw HTML tags that are passed directly to JavaScript.
2. Sink: innerHTML renders HTML tags as executable DOM (script.js)
File: view/js/script.js
function avideoAlertInfo(msg) { // line ~1891
avideoAlert("", msg, 'info'); // calls ↓
}
function avideoAlert(title, msg, type) { // line ~1270
avideoAlertHTMLText(title, msg, type); // calls ↓
}
function avideoAlertHTMLText(title, msg, type) { // line ~1451
var span = document.createElement("span");
span.innerHTML = msg; // line 1464 — XSS SINK
swal({ content: span });
}
innerHTML parses the string as HTML. Any <img>, <svg>, or other HTML tags with event handlers are instantiated as real DOM elements, triggering JavaScript execution.
Data Flow
URL parameter (?404ErrorMsg=PAYLOAD)
→ $_REQUEST['404ErrorMsg']
→ json_encode() ← does NOT escape < > /
→ avideoAlertInfo()
→ avideoAlert()
→ avideoAlertHTMLText()
→ span.innerHTML = msg ← renders HTML tags, executes JS
Proof of Concept
https://localhost/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>
The page renders:
avideoAlertInfo("<img src=x onerror=alert(document.domain)>");
Which flows to span.innerHTML = "<img src=x onerror=alert(document.domain)>". The browser creates an <img> element, src=x fails to load, onerror fires alert(document.domain).
Affected Code
| File | Line | Issue |
|---|---|---|
view/videoNotFound.php |
49 | json_encode() does not escape < > for HTML context |
view/js/script.js |
1464 | span.innerHTML = msg renders user input as HTML |
view/js/script.js |
1282 | span.innerHTML = msg in avideoAlertWithCookie() |
view/js/script.js |
1335 | span.innerHTML = __(msg,true) in avideoConfirm() |
view/js/script.js |
1358 | span.innerHTML = msg in avideoAlertOnceForceConfirm() |
The innerHTML sink exists in 4 functions. Any future code that passes user input to avideoAlertInfo(), avideoAlertWarning(), avideoAlertDanger(), or avideoAlertSuccess() will create additional XSS vectors.
Remediation
Fix 1: Escape HTML in PHP (source fix)
// view/videoNotFound.php line 49
// BEFORE (vulnerable):
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg']) . ');';
// AFTER (fixed):
echo 'avideoAlertInfo(' . json_encode($_REQUEST['404ErrorMsg'], JSON_HEX_TAG | JSON_HEX_AMP) . ');';
JSON_HEX_TAG converts < → \u003C and > → \u003E, preventing HTML injection.
Fix 2: Use textContent instead of innerHTML (sink fix, recommended)
// view/js/script.js - all alert functions
// BEFORE (vulnerable):
span.innerHTML = msg;
// AFTER (fixed):
span.textContent = msg;
textContent treats the string as plain text — HTML tags are displayed literally, never parsed or executed.
Fix 3: Add Content-Security-Policy header (defense in depth)
Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Impact
- Session hijacking — steal
PHPSESSIDcookie (not HttpOnly by default) - Account takeover — use stolen session to change password or email
- Phishing — inject a realistic login form inside the SweetAlert modal
- Worm propagation — inject self-spreading payloads via comments/messages
- Admin compromise — send crafted link to admin, steal session, gain full control
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33035"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T20:05:23Z",
"nvd_published_at": "2026-03-20T05:16:16Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nAVideo contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim\u0027s browser. User input from a URL parameter flows through PHP\u0027s `json_encode()` into a JavaScript function that renders it via `innerHTML`, bypassing encoding and achieving full script execution.\n\n\n## Root Cause\nThe vulnerability is caused by two issues working together:\n\n### 1. Source: Unescaped user input passed to JavaScript (videoNotFound.php)\n\n**File:** `view/videoNotFound.php` line 49\n\n```php\nif (!empty($_REQUEST[\u0027404ErrorMsg\u0027])) {\n echo \u0027avideoAlertInfo(\u0027 . json_encode($_REQUEST[\u0027404ErrorMsg\u0027]) . \u0027);\u0027;\n}\n```\n\nPHP\u0027s `json_encode()` with default flags only escapes quotes (`\"` \u2192 `\\\"`) and backslashes. It does **NOT** escape HTML special characters (`\u003c`, `\u003e`, `/`). The resulting string contains raw HTML tags that are passed directly to JavaScript.\n\n### 2. Sink: innerHTML renders HTML tags as executable DOM (script.js)\n\n**File:** `view/js/script.js`\n\n```javascript\nfunction avideoAlertInfo(msg) { // line ~1891\n avideoAlert(\"\", msg, \u0027info\u0027); // calls \u2193\n}\n\nfunction avideoAlert(title, msg, type) { // line ~1270\n avideoAlertHTMLText(title, msg, type); // calls \u2193\n}\n\nfunction avideoAlertHTMLText(title, msg, type) { // line ~1451\n var span = document.createElement(\"span\");\n span.innerHTML = msg; // line 1464 \u2014 XSS SINK\n swal({ content: span });\n}\n```\n\n`innerHTML` parses the string as HTML. Any `\u003cimg\u003e`, `\u003csvg\u003e`, or other HTML tags with event handlers are instantiated as real DOM elements, triggering JavaScript execution.\n\n### Data Flow\n\n```\nURL parameter (?404ErrorMsg=PAYLOAD)\n \u2192 $_REQUEST[\u0027404ErrorMsg\u0027]\n \u2192 json_encode() \u2190 does NOT escape \u003c \u003e /\n \u2192 avideoAlertInfo()\n \u2192 avideoAlert()\n \u2192 avideoAlertHTMLText()\n \u2192 span.innerHTML = msg \u2190 renders HTML tags, executes JS\n```\n\n---\n\n## Proof of Concept\n```\nhttps://localhost/view/videoNotFound.php?404ErrorMsg=\u003cimg src=x onerror=alert(document.domain)\u003e\n```\n\u003cimg width=\"1918\" height=\"1035\" alt=\"image\" src=\"https://github.com/user-attachments/assets/20077ce2-5b49-4bd3-a7df-ab48be786cc1\" /\u003e\n\nThe page renders:\n```javascript\navideoAlertInfo(\"\u003cimg src=x onerror=alert(document.domain)\u003e\");\n```\n\nWhich flows to `span.innerHTML = \"\u003cimg src=x onerror=alert(document.domain)\u003e\"`. The browser creates an `\u003cimg\u003e` element, `src=x` fails to load, `onerror` fires `alert(document.domain)`.\n\n## Affected Code\n\n| File | Line | Issue |\n|------|------|-------|\n| `view/videoNotFound.php` | 49 | `json_encode()` does not escape `\u003c` `\u003e` for HTML context |\n| `view/js/script.js` | 1464 | `span.innerHTML = msg` renders user input as HTML |\n| `view/js/script.js` | 1282 | `span.innerHTML = msg` in `avideoAlertWithCookie()` |\n| `view/js/script.js` | 1335 | `span.innerHTML = __(msg,true)` in `avideoConfirm()` |\n| `view/js/script.js` | 1358 | `span.innerHTML = msg` in `avideoAlertOnceForceConfirm()` |\n\nThe `innerHTML` sink exists in 4 functions. Any future code that passes user input to `avideoAlertInfo()`, `avideoAlertWarning()`, `avideoAlertDanger()`, or `avideoAlertSuccess()` will create additional XSS vectors.\n\n\n## Remediation\n\n### Fix 1: Escape HTML in PHP (source fix)\n\n```php\n// view/videoNotFound.php line 49\n// BEFORE (vulnerable):\necho \u0027avideoAlertInfo(\u0027 . json_encode($_REQUEST[\u0027404ErrorMsg\u0027]) . \u0027);\u0027;\n\n// AFTER (fixed):\necho \u0027avideoAlertInfo(\u0027 . json_encode($_REQUEST[\u0027404ErrorMsg\u0027], JSON_HEX_TAG | JSON_HEX_AMP) . \u0027);\u0027;\n```\n\n`JSON_HEX_TAG` converts `\u003c` \u2192 `\\u003C` and `\u003e` \u2192 `\\u003E`, preventing HTML injection.\n\n### Fix 2: Use textContent instead of innerHTML (sink fix, recommended)\n\n```javascript\n// view/js/script.js - all alert functions\n// BEFORE (vulnerable):\nspan.innerHTML = msg;\n\n// AFTER (fixed):\nspan.textContent = msg;\n```\n\n`textContent` treats the string as plain text \u2014 HTML tags are displayed literally, never parsed or executed.\n\n### Fix 3: Add Content-Security-Policy header (defense in depth)\n\n```\nContent-Security-Policy: default-src \u0027self\u0027; script-src \u0027self\u0027; style-src \u0027self\u0027 \u0027unsafe-inline\u0027\n```\n\n## Impact\n\n- **Session hijacking** \u2014 steal `PHPSESSID` cookie (not HttpOnly by default)\n- **Account takeover** \u2014 use stolen session to change password or email\n- **Phishing** \u2014 inject a realistic login form inside the SweetAlert modal\n- **Worm propagation** \u2014 inject self-spreading payloads via comments/messages\n- **Admin compromise** \u2014 send crafted link to admin, steal session, gain full control",
"id": "GHSA-wfq5-qgqp-hvhv",
"modified": "2026-03-20T21:22:24Z",
"published": "2026-03-17T20:05:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33035"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Unauthenticated Reflected XSS via innerHTML in AVideo"
}
FKIE_CVE-2026-33035
Vulnerability from fkie_nvd - Published: 2026-03-20 05:16 - Updated: 2026-03-24 16:30
Severity ?
Summary
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts — all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E",
"versionEndExcluding": "26.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim\u0027s browser. User input from a URL parameter flows through PHP\u0027s json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts \u2014 all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0."
},
{
"lang": "es",
"value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En las versiones 25.0 e inferiores, existe una vulnerabilidad de XSS reflejado que permite a atacantes no autenticados ejecutar JavaScript arbitrario en el navegador de una v\u00edctima. La entrada del usuario de un par\u00e1metro de URL fluye a trav\u00e9s de json_encode() de PHP hacia una funci\u00f3n de JavaScript que lo renderiza mediante innerHTML, omitiendo la codificaci\u00f3n y logrando la ejecuci\u00f3n completa del script. La vulnerabilidad es causada por dos problemas que trabajan juntos: entrada de usuario sin escapar pasada a JavaScript (videoNotFound.php), y innerHTML renderizando etiquetas HTML como DOM ejecutable (script.js). El ataque puede escalarse para robar cookies de sesi\u00f3n, tomar el control de cuentas, suplantar credenciales mediante formularios de inicio de sesi\u00f3n inyectados, propagar cargas \u00fatiles auto-propagantes y comprometer cuentas de administrador \u2014 todo explotando la falta de sanitizaci\u00f3n adecuada de la entrada y la seguridad de las cookies (p. ej., la ausencia de la bandera HttpOnly en PHPSESSID). El problema ha sido solucionado en la versi\u00f3n 26.0."
}
],
"id": "CVE-2026-33035",
"lastModified": "2026-03-24T16:30:45.583",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-20T05:16:16.103",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/WWBN/AVideo/commit/cca6196f4072cb9acc39b1030fb8fb1702b4f69b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-wfq5-qgqp-hvhv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…