Back to overview

CVE-2026-50183

MEDIUM
4.7
CVSS 3.1
Description
WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set by the YouTube video uploader (anyone in the world) and is treated by AVideo as trusted content. A YouTube uploader who controls a video matching the operator's configured query injects HTML into the AVideo homepage by setting their video's title to a JavaScript-bearing string; the payload then executes in the browser of every visitor who loads any page that renders the gallery. When the visitor is an AVideo administrator, the injected JavaScript performs any admin action (create user, promote to admin, change configuration, install plugin) that uses cookie-based authentication without an additional CSRF token, escalating the bug into full administrative takeover. The payload persists for the duration of cacheTimeout (default 3600 seconds) after the malicious title is set on YouTube and survives YouTube removing the hostile video for the same window. This issue has been addressed by commit https://github.com/WWBN/AVideo/commit/7292129eaee5f609beae103b5cb387d55f17b877.

Metadata

CVE ID
CVE-2026-50183
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-03 22:05 UTC
Published
2026-07-15 21:13 UTC
Last updated
2026-07-15 21:13 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
WWBN / AVideo
Sources
cve.org  ·  NVD

Severity & Metrics

4.7 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
WWBN AVideo <= 29.0
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.7 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
References (2)
Back to overview