CVE-2026-39367
WWBN AVideo (versions 26.0 and earlier) has a stored XSS vector in the EPG page. The EPG feature parses XML from user-controlled URLs and renders elements directly into HTML without sanitization, allowing a user with upload permission to point epg_link to a malicious XML to trigger JavaScript ex...