CVE-2026-41063
Cross-Site Scripting in WWBN AVideo Markdown Link Parsing
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject malicious JavaScript URLs into user-generated content, leading to cross-site scripting (XSS) attacks. Such attacks can result in session hijacking, account takeover, and data theft.
These security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and secure handling of user information to prevent unauthorized access and data breaches.
Failure to mitigate this vulnerability could lead to unauthorized disclosure or compromise of sensitive data, thereby violating these regulations' requirements for data confidentiality and integrity.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions 29.0 and below. It is caused by an incomplete cross-site scripting (XSS) fix in the ParsedownSafeWithLinks class. Specifically, while the class overrides the inlineMarkup method to handle raw HTML, it does not override the inlineLink() or inlineUrlTag() methods. This omission allows javascript: URLs in markdown link syntax to bypass sanitization, potentially enabling XSS attacks.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious JavaScript code via markdown links containing javascript: URLs. Such code can execute in the context of users viewing the affected content, potentially leading to theft of user credentials, session hijacking, or other malicious actions. The CVSS score of 5.4 indicates a medium severity with impacts on confidentiality and integrity, requiring user interaction and low privileges to exploit.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf or later.
This fix addresses the incomplete XSS sanitization by properly overriding the inlineLink() and inlineUrlTag() methods to prevent javascript: URLs in markdown link syntax from bypassing sanitization.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning user-generated content fields (such as comments or descriptions) for Markdown links that contain unsafe URL schemes like "javascript:", "data:", or "vbscript:" which bypass sanitization in affected versions of AVideo.
A practical approach is to search for Markdown link syntax patterns that include these dangerous schemes. For example, you can use command-line tools like grep to find suspicious Markdown links in your application data or logs.
- grep -r -i '\[.*\](javascript:.*)' /path/to/avideo/data
- grep -r -i '\[.*\](data:.*)' /path/to/avideo/data
- grep -r -i '\[.*\](vbscript:.*)' /path/to/avideo/data
Additionally, monitoring HTTP traffic or logs for requests containing such payloads in Markdown fields can help detect exploitation attempts.