CVE-2026-50182
Received Received - Intake

Reflected XSS in AVideo YouTubeAPI Gallery Pagination

Vulnerability report for CVE-2026-50182, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain an unauthenticated Reflected XSS vulnerability through AVideo YouTubeAPI Gallery Pagination. The $_GET['search'] query parameter is concatenated directly into the href attribute of two pagination links in plugin/YouTubeAPI/gallerySection.php (lines 67 and 74) with no htmlspecialchars, no urlencode, and no allow-list check. An injected <script> element is then extracted by the AVideo Layout plugin and concatenated into a single trailing inline script block at the bottom of the page, where the browser executes it. Any unauthenticated attacker can lure a victim into following a crafted URL to execute arbitrary JavaScript under the AVideo origin, which can read non-HttpOnly cookies and issue authenticated AJAX requests as the victim, and when the victim is an administrator, it can perform any cookie-authenticated admin action (create user, promote to admin, change configuration, install plugin), escalating a single click into full administrative takeover. This issue has been patched by this commit: https://github.com/WWBN/AVideo/commit/f50fc033b7adb36f1ffd6640e7826468bdafdec3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a reflected cross-site scripting (XSS) vulnerability in WWBN AVideo, versions before 29.0. It occurs in the YouTubeAPI Gallery Pagination feature where the search query parameter is directly inserted into HTML without proper sanitization. This allows attackers to inject malicious JavaScript code via a crafted URL. When a victim clicks the link, the script executes in their browser under the AVideo domain, enabling theft of non-HttpOnly cookies and execution of authenticated actions.

Impact Analysis

An attacker could trick you into clicking a malicious link, allowing them to run arbitrary JavaScript in your browser as if you were logged into AVideo. This could let them steal your session cookies, perform actions on your behalf (like creating users or changing settings), or even take full control of your AVideo account if you have admin privileges.

Detection Guidance

To detect this vulnerability, inspect the AVideo application for versions prior to 29.0. Check plugin/YouTubeAPI/gallerySection.php for lines 67 and 74 where the $_GET['search'] parameter is used without htmlspecialchars or urlencode. Test by crafting URLs with XSS payloads in the search parameter and observe if scripts execute.

Mitigation Strategies

Immediately upgrade AVideo to version 29.0 or later to apply the patch. If upgrading is not possible, remove or disable the YouTubeAPI plugin. As a temporary measure, implement input validation and output encoding for the search parameter in gallerySection.php.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50182. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart