CVE-2026-33295
Stored XSS in WWBN AVideo CDN Plugin Download Buttons
Publication date: 2026-03-22
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-33295 is a stored cross-site scripting (XSS) vulnerability in the WWBN/AVideo platform, specifically in the CDN plugin's download buttons component. The vulnerability occurs because the `clean_title` field of a video, which comes from user-supplied video titles, is directly inserted into a JavaScript string literal without any escaping or sanitization."}, {'type': 'paragraph', 'content': 'An attacker who can create or modify videos can inject malicious JavaScript code by including special characters like single quotes in the video title. This injected script then executes in the browser of any user who visits the affected download page, potentially including administrators or users with elevated privileges.'}, {'type': 'paragraph', 'content': 'The vulnerability allows arbitrary JavaScript execution in the context of the affected page, enabling attacks such as session cookie theft and unauthorized actions performed on behalf of victims.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including theft of session cookies, which can lead to account hijacking and unauthorized access.
Attackers can perform actions on behalf of victims without their consent, potentially compromising user data and platform integrity.
Because the malicious script executes in the security context of users visiting the affected page, it can affect administrators or users with elevated privileges, increasing the risk of broader system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the WWBN/AVideo platform version is prior to 26.0 and if the CDN plugin's downloadButtons.php component interpolates the `clean_title` field directly into JavaScript without escaping."}, {'type': 'paragraph', 'content': 'One practical way to detect exploitation attempts is to look for suspicious video titles containing JavaScript code or single quotes that could prematurely terminate string literals.'}, {'type': 'paragraph', 'content': 'You can also monitor HTTP requests to the download page URL pattern like: https://example.com/plugin/CDN/downloadButtons.php?videos_id=<TARGET_VIDEO_ID> for unusual parameters or injected scripts.'}, {'type': 'paragraph', 'content': 'Suggested commands include searching the database or video records for titles containing suspicious characters such as single quotes or JavaScript snippets.'}, {'type': 'list_item', 'content': 'Example SQL query to find suspicious titles: SELECT id, clean_title FROM videos WHERE clean_title LIKE "%\'%" OR clean_title LIKE "%alert(%";'}, {'type': 'list_item', 'content': 'Use web server logs to grep for requests to downloadButtons.php with suspicious parameters: grep "downloadButtons.php" /var/log/apache2/access.log | grep -E "(alert|\\\')"'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade the WWBN/AVideo platform to version 26.0 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the patch that uses proper escaping of the `clean_title` field by replacing the direct interpolation with a JSON-encoded string in the JavaScript call.'}, {'type': 'paragraph', 'content': "Specifically, modify the code in plugin/CDN/downloadButtons.php to use: downloadURLOrAlertError(url, {}, <?php echo json_encode($video['clean_title']); ?> + '.' + format, progress);"}, {'type': 'paragraph', 'content': 'Additionally, restrict or review user permissions to limit who can create or modify videos, as the vulnerability requires video creation or editing privileges.'}, {'type': 'paragraph', 'content': 'Monitor and sanitize video titles to prevent injection of malicious scripts until the patch or upgrade is applied.'}] [1, 2]