5 matches found
CVE-2026-33500
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 GHSA-rcqw-6466-3mv7 introduced a custom ParsedownSafeWithLinks class that sanitizes raw HTML and tags in comments, but explicitly disables Parsedown's safeMode. This creates a bypass:...
CVE-2026-27568
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated...
CVE-2026-27568
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated...
CVE-2026-27568
WWBN AVideo (open source video platform) is affected prior to version 21.0 by CVE-2026-27568, where Markdown in video comments processed by Parsedown v1.7.4 without Safe Mode allows javascript: URIs to be rendered as links. An authenticated low-privilege attacker can post a malicious comment whos...
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
Vulnerability Type Stored Cross-Site Scripting XSS — CWE-79. Affected Product/Versions AVideo 18.0. Root Cause Summary AVideo allows Markdown in video comments and uses Parsedown v1.7.4 without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be...