{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41063", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T22:59:52.770Z", "dateUpdated": "2026-04-21T23:07:13.350Z"}, "containers": {"cna": {"title": "WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc"}, {"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j"}, {"name": "https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d"}, {"name": "https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:07:13.350Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix."}], "source": {"advisory": "GHSA-m7r8-6q9j-m2hc", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix."}], "id": "CVE-2026-41063", "lastModified": "2026-04-22T00:16:28.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:21.663", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacf"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T06:12:39.338500+00:00", "value": {"mitigation_remediation": ["Apply the GitHub commit containing the updated sanitization patch (cae8f0dadbdd962c89b91d0095c76edb8aadcacf) or upgrade to a later AVideo release that includes this fix.", "If an immediate upgrade is not possible, disable raw HTML parsing or modify the Markdown engine configuration to reject javascript: URLs in links and URL tags until the fix is applied.", "Review all user\u2011generated content for suspicious links and remediate any malicious entries to counteract potential exploitation."], "summary": {"action": "Update Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The flaw exists in all AVideo releases up to and including version 29.0. The affected component is the ParsedownSafeWithLinks class, part of the public AVideo distribution from WWBN.", "description_and_impact": "The vulnerability arises from an incomplete sanitization within AVideo\u2019s Markdown processing. The cleanup function that blocks raw HTML works, but it fails to intercept links built via inlineLink() or inlineUrlTag(). As a result, users can insert markdown links that reference javascript: URLs, which bypass the sanitizer and execute arbitrary script in the browser that visits the page. This could allow an attacker to steal session cookies, deface the site, or conceal phishing content, all without needing elevated privileges beyond content publishing.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate risk profile. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited exploitation data. The attack vector is likely through user\u2011generated Markdown content; an attacker could embed a malicious link in posts, comments, or other free\u2011form fields that render Markdown. If a user with publishing rights can inject the payload, the XSS will trigger when any visitor views the page."}}}}, "created": "2026-04-22T01:30:05.075110+00:00", "updated": "2026-04-22T06:15:10.418893+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}