CVE-2026-41061

WWBN AVideo (versions ≤ 29.0) is vulnerable due to an unanchored end in isValidDuration() regex in objects/video.php:918: /^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/ allowing appending HTML/JavaScript after a valid duration. The crafted duration is stored and rendered without HTML escaping via Video::get...