CVE-2026-33035
Received Received - Intake
Reflected XSS in WWBN AVideo Enables Account Takeover

Publication date: 2026-03-20

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, there is a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's json_encode() into a JavaScript function that renders it via innerHTML, bypassing encoding and achieving full script execution. The vulnerability is caused by two issues working together: unescaped user input passed to JavaScript (videoNotFound.php), and innerHTML rendering HTML tags as executable DOM (script.js). The attack can be escalated to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts β€” all by exploiting the lack of proper input sanitization and cookie security (e.g., missing HttpOnly flag on PHPSESSID). The issue has been fixed in version 26.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-33035 is a reflected Cross-Site Scripting (XSS) vulnerability in the WWBN AVideo platform (versions 25.0 and below). It occurs because user input from a URL parameter (specifically `404ErrorMsg`) is passed through PHP's `json_encode()` function without properly escaping HTML special characters like < and >. This unescaped input is then inserted into JavaScript code and rendered in the browser using the `innerHTML` property, which interprets the input as HTML and executes any embedded scripts."}, {'type': 'paragraph', 'content': "The vulnerability arises from two main issues working together: unescaped user input passed to JavaScript in `videoNotFound.php`, and the use of `innerHTML` in JavaScript (`script.js`) to render that input. This allows an attacker to inject arbitrary JavaScript code that executes in the victim's browser."}, {'type': 'paragraph', 'content': 'An attacker can exploit this by crafting a URL with malicious JavaScript payload in the `404ErrorMsg` parameter, which when visited by a victim, triggers the execution of the injected script.'}] [1]


How can this vulnerability impact me? :

This vulnerability can have several serious impacts including:

  • Session hijacking by stealing session cookies that lack the HttpOnly flag, allowing attackers to impersonate users.
  • Account takeover by using stolen session information to gain unauthorized access.
  • Phishing attacks through injected realistic login forms within alert modals, tricking users into revealing credentials.
  • Propagation of self-spreading malware or worms by injecting payloads that spread across users.
  • Compromise of administrative accounts by targeting admins with crafted malicious links.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if the application improperly renders user input from the URL parameter `404ErrorMsg` in a way that executes JavaScript.'}, {'type': 'paragraph', 'content': 'A practical detection method is to send a specially crafted URL containing a payload that triggers JavaScript execution, such as an image tag with an onerror event.'}, {'type': 'paragraph', 'content': 'Example proof of concept URL to test the vulnerability:'}, {'type': 'list_item', 'content': 'https://localhost/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>'}, {'type': 'paragraph', 'content': 'If the alert dialog showing the document domain appears, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'For automated or command-line testing, you can use curl or wget to fetch the URL and inspect the response for unescaped HTML tags or JavaScript code.'}, {'type': 'list_item', 'content': 'curl -i "https://your-avideo-instance/view/videoNotFound.php?404ErrorMsg=<img src=x onerror=alert(document.domain)>"'}, {'type': 'list_item', 'content': 'Observe if the response contains the injected payload unescaped within JavaScript code.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

  • Update the WWBN AVideo platform to version 26.0 or later, where the vulnerability is fixed.
  • Apply source code fixes by escaping HTML special characters in PHP using json_encode() with flags JSON_HEX_TAG and JSON_HEX_AMP to prevent HTML injection.
  • Modify JavaScript alert functions to replace innerHTML assignments with textContent to prevent execution of injected scripts.
  • Implement a Content-Security-Policy (CSP) header restricting script sources to reduce the impact of any potential XSS.

These steps collectively prevent unescaped user input from being executed as code in the browser, mitigating the reflected XSS risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart