Home / Vulnerability Intelligence / CVE-2026-33500

CVE-2026-33500 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: March 24, 2026

WWBN AVideo - Stored XSS

Published: March 23, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable

Overview

WWBN AVideo <= 26.0 contains a stored XSS caused by improper sanitization of markdown link syntax in comments due to disabled safeMode in Parsedown, letting attackers inject malicious scripts via markdown links, exploit requires comment submission.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Attackers can inject and execute arbitrary scripts in users' browsers, leading to session hijacking or other malicious actions.

Mitigation

Update to the version including commit 3ae02fa240939dbefc5949d64f05790fd25d728d or later.

References

https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d
https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33500
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N