CVE-2026-47694
Stored XSS in WWBN AVideo Category Descriptions
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to execute malicious JavaScript in the context of other users viewing the affected pages. This can lead to unauthorized actions, data theft, or manipulation of administrative functions.
Such unauthorized access or data exposure could potentially impact compliance with standards and regulations like GDPR or HIPAA, which require protection of user data and prevention of unauthorized access or data breaches.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.
Can you explain this vulnerability to me?
CVE-2026-47694 is a stored Cross-Site Scripting (XSS) vulnerability in the WWBN AVideo platform (version 29.0 and earlier). It occurs because category descriptions, which can be created or edited by users with appropriate permissions, are stored as raw HTML and rendered without proper encoding in the Gallery view.
An attacker who can create or edit categories can inject malicious JavaScript code into the category description. This code executes when other users view the affected Gallery or category page, potentially allowing the attacker to perform unauthorized actions or steal sensitive information.
How can this vulnerability impact me? :
This vulnerability can impact users by enabling attackers to execute malicious JavaScript in the context of the affected website. This can lead to unauthorized actions performed on behalf of victims, theft of sensitive data such as session tokens, or manipulation of administrative user interface elements if an administrator views the malicious category.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if category descriptions in the AVideo Gallery view contain unescaped or raw HTML, especially JavaScript payloads. One way to detect it is to inspect category descriptions for suspicious scripts or HTML tags that execute JavaScript.
A proof of concept payload is `<img src=x onerror=alert(document.domain)>`. You can search the database or exported category descriptions for similar patterns.
Commands to detect such payloads might include searching the database for suspicious strings. For example, if you have access to the database, you could run a SQL query like:
- SELECT * FROM categories WHERE category_description LIKE '%<img%onerror=%';
- Or search for common JavaScript event handlers in descriptions, e.g., LIKE '%onerror=%' or '%<script>%'.
Additionally, manual inspection of the Gallery/category pages in a browser's developer tools can reveal if JavaScript executes unexpectedly when viewing category descriptions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing or encoding the category descriptions to prevent execution of malicious JavaScript.
Specifically, apply output encoding functions such as `htmlspecialchars()` or use libraries like HTMLPurifier to sanitize the category_description field before rendering it in the Gallery view.
Additionally, restrict permissions so that only trusted users can create or edit categories, reducing the risk of malicious input.
If possible, update AVideo to a version later than 29.0 where this vulnerability is fixed.