CVE-2026-39367
Stored XSS in WWBN AVideo EPG Allows Account Takeover
Publication date: 2026-04-07
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39367 is a stored Cross-Site Scripting (XSS) vulnerability in the WWBN AVideo platform's Electronic Program Guide (EPG) feature. The vulnerability occurs because the EPG parses XML from user-controlled URLs and directly inserts program titles from the XML into HTML without any sanitization or escaping.
A user with upload permission can set a video's epg_link to a malicious XML file containing <title> elements with embedded JavaScript. This malicious script then executes in the browser of any unauthenticated visitor to the public EPG page.
This allows attackers to perform actions such as session hijacking and account takeover by stealing session cookies from visitors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute stored cross-site scripting (XSS) attacks that can lead to session hijacking and account takeover. This can result in unauthorized access to user accounts and potentially sensitive data.
Such unauthorized access and data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring secure access controls.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.
How can this vulnerability impact me? :
This vulnerability can have several impacts:
- Session Hijacking: Attackers can steal session cookies from any visitor, including administrators.
- Account Takeover: Using stolen admin sessions, attackers can gain full control over the platform.
- Persistence: The malicious payload is cached server-side and served to all visitors continuously, even after removal of the malicious XML.
- Wide Blast Radius: Since the EPG page is publicly accessible without authentication, all visitors are at risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious JavaScript embedded in the <title> elements of XML files linked via the epg_link parameter in the AVideo platform. Detection involves identifying videos with epg_link URLs pointing to suspicious or untrusted XML files containing script payloads.
You can inspect the epg_link values in your database or via API to find URLs referencing external XML files. Additionally, monitoring HTTP requests to the public EPG page for unusual or unexpected script content in the HTML output can help detect exploitation.
Suggested commands include:
- Query the database for videos with epg_link set: e.g., using SQL: SELECT id, epg_link FROM videos WHERE epg_link IS NOT NULL;
- Fetch and inspect the XML content from epg_link URLs for suspicious <title> elements containing JavaScript or HTML tags.
- Use curl or wget to retrieve the public EPG page and grep for suspicious script tags or event handlers: curl -s http://your-avideo-site/epg.php | grep -iE '<script|onerror|onload|javascript:'
- Monitor web server logs for unusual requests or payloads targeting the EPG feature.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to apply the security fix that properly escapes program titles before rendering them in HTML to prevent XSS.
Specifically, update the AVideo platform to include the patch that uses PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding on program titles in the EPG display code (plugin/PlayerSkins/epg.php). This sanitizes any special characters and neutralizes malicious scripts.
Additional immediate steps include:
- Restrict upload permissions to trusted users only, since only users with upload rights can set the epg_link.
- Review and remove any suspicious or untrusted epg_link URLs from videos.
- Clear or invalidate any cached EPG pages to remove persistent malicious payloads.
- Monitor the platform for unusual activity or signs of session hijacking.