CVE-2026-50183
Received Received - Intake

Stored XSS in WWBN AVideo YouTubeAPI Plugin

Vulnerability report for CVE-2026-50183, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set by the YouTube video uploader (anyone in the world) and is treated by AVideo as trusted content. A YouTube uploader who controls a video matching the operator's configured query injects HTML into the AVideo homepage by setting their video's title to a JavaScript-bearing string; the payload then executes in the browser of every visitor who loads any page that renders the gallery. When the visitor is an AVideo administrator, the injected JavaScript performs any admin action (create user, promote to admin, change configuration, install plugin) that uses cookie-based authentication without an additional CSRF token, escalating the bug into full administrative takeover. The payload persists for the duration of cacheTimeout (default 3600 seconds) after the malicious title is set on YouTube and survives YouTube removing the hostile video for the same window. This issue has been addressed by commit https://github.com/WWBN/AVideo/commit/7292129eaee5f609beae103b5cb387d55f17b877.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 30.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a stored Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions 29.0 and below. It occurs in the YouTubeAPI plugin where video titles from YouTube are rendered without HTML encoding. An attacker can inject malicious JavaScript by setting a video title to a string containing executable code. When the homepage gallery loads, the script runs in visitors' browsers, including administrators.

Impact Analysis

If you visit an AVideo site with this vulnerability, an attacker could execute arbitrary JavaScript in your browser. For administrators, this could lead to full account takeover, allowing the attacker to create users, change settings, or install plugins. Regular users may experience data theft or session hijacking.

Compliance Impact

This vulnerability could lead to unauthorized access to user data, violating GDPR's data protection requirements and HIPAA's privacy rules. It may result in data breaches, unauthorized modifications, or exposure of sensitive information, potentially leading to legal penalties and compliance failures.

Detection Guidance

Check if you are running AVideo version 29.0 or below. Inspect the homepage gallery markup for unencoded JavaScript in video titles fetched from YouTube. Monitor network traffic for unexpected admin actions or unusual JavaScript execution in the browser console.

Mitigation Strategies

Upgrade AVideo to a version beyond 29.0 where the issue is fixed. Apply the patch from commit 7292129eaee5f609beae103b5cb387d55f17b877. Review and restrict admin actions to prevent unauthorized changes via injected scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50183. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart