CVE-2026-33035 Overview
CVE-2026-33035 is a reflected Cross-Site Scripting (XSS) vulnerability affecting WWBN AVideo, an open source video platform. In versions 25.0 and below, unauthenticated attackers can execute arbitrary JavaScript in a victim's browser by exploiting improper input handling in URL parameters. User input flows through PHP's json_encode() into a JavaScript function that renders content via innerHTML, effectively bypassing encoding mechanisms and enabling full script execution.
Critical Impact
This vulnerability allows attackers to steal session cookies, take over accounts, phish credentials via injected login forms, spread self-propagating payloads, and compromise admin accounts — all exploiting the lack of proper input sanitization and missing HttpOnly flag on PHPSESSID.
Affected Products
- WWBN AVideo versions 25.0 and below
- All installations using the vulnerable videoNotFound.php and script.js components
- Self-hosted AVideo deployments without security patches applied
Discovery Timeline
- 2026-03-20 - CVE-2026-33035 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33035
Vulnerability Analysis
The reflected XSS vulnerability in WWBN AVideo stems from a dangerous combination of two distinct security weaknesses working in concert. The first issue involves the videoNotFound.php file, which accepts user-controlled input from URL parameters and passes this data through PHP's json_encode() function before embedding it into JavaScript context. While json_encode() provides some escaping for JSON syntax, it does not adequately sanitize content destined for HTML rendering.
The second contributing factor resides in script.js, where the application uses innerHTML to render the encoded content directly into the DOM. When innerHTML processes HTML tags, it interprets and executes them as active DOM elements, allowing attackers to inject malicious script tags or event handlers that execute JavaScript code in the victim's browser session.
This attack chain requires no authentication, making it particularly dangerous for public-facing AVideo installations. The missing HttpOnly flag on the PHPSESSID cookie exacerbates the risk by allowing JavaScript to access session cookies, enabling complete session hijacking.
Root Cause
The root cause is twofold: improper input validation in videoNotFound.php that fails to sanitize user-controlled URL parameters before passing them to JavaScript, combined with unsafe DOM manipulation in script.js that uses innerHTML to render potentially malicious content. The lack of Content Security Policy (CSP) headers and missing HttpOnly cookie flags further compound the vulnerability's severity.
Attack Vector
An attacker crafts a malicious URL containing JavaScript payload in a vulnerable parameter. When a victim clicks this link, the AVideo application processes the input through json_encode(), passes it to JavaScript, and renders it via innerHTML. The browser interprets the injected content as executable code, allowing the attacker to steal cookies, hijack sessions, inject phishing forms, or perform actions on behalf of the authenticated user.
The security patch addresses this vulnerability by introducing HTML-safe content handling functions. The fix replaces unsafe alert functions with sanitized alternatives:
$users_id = $isACompany ? $value['users_id_affiliate'] : $value['users_id_company'];
$value['users_id'] = $users_id;
- $value['js'] = 'avideoAlertOnce('
+ $value['js'] = 'avideoAlertOnceHTML('
. '"' . __('You have a new affiliation request') . '",'
. "\"<a href='{$global['webSiteRootURL']}user?tab=tabAffiliation'>" . __('Please click here') . '</a>", "info", "' . $value['id'] . $value['modified'] . '");';
Source: GitHub Commit Details
Similarly, JavaScript confirmation dialogs were updated to use HTML-safe variants:
}
// Use avideoConfirm to ask for user confirmation and include a progress bar
- avideoConfirm(customMessage + '<hr>' + __("You will be redirected to the following URL:") + "<br><strong>" + viewerUrl + "</strong><br><div class='progress' style='height: 10px;'><div id='countdownProgressBar' class='progress-bar progress-bar-striped progress-bar-animated' role='progressbar' style='width: 0%;' aria-valuenow='0' aria-valuemin='0' aria-valuemax='100'></div></div>").then(function (confirmed) {
+ avideoConfirmHTML(customMessage + '<hr>' + __("You will be redirected to the following URL:") + "<br><strong>" + viewerUrl + "</strong><br><div class='progress' style='height: 10px;'><div id='countdownProgressBar' class='progress-bar progress-bar-striped progress-bar-animated' role='progressbar' style='width: 0%;' aria-valuenow='0' aria-valuemin='0' aria-valuemax='100'></div></div>").then(function (confirmed) {
if (confirmed) {
clearInterval(countdownInterval); // Stop countdown if user confirms
redirectToUrl(viewerUrl);
Source: GitHub Commit Details
Detection Methods for CVE-2026-33035
Indicators of Compromise
- Unusual URL parameters containing encoded JavaScript payloads targeting videoNotFound.php
- Web server logs showing requests with <script>, onerror=, onload=, or other XSS payload signatures
- Unexpected session activity or account access from unfamiliar IP addresses following link clicks
- User reports of suspicious redirects or credential prompts on the AVideo platform
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block common XSS payload patterns in URL parameters
- Implement Content Security Policy (CSP) headers to restrict script execution sources and report violations
- Monitor web server access logs for requests containing URL-encoded JavaScript or HTML injection attempts
- Use browser-based XSS auditors and security tools to identify reflected script execution
Monitoring Recommendations
- Enable detailed logging for all requests to videoNotFound.php and related vulnerable endpoints
- Set up alerts for anomalous patterns in URL parameters, particularly those containing angle brackets or JavaScript keywords
- Monitor for sudden increases in session invalidations or password reset requests that may indicate account compromise
- Review authentication logs for login attempts following suspicious URL access patterns
How to Mitigate CVE-2026-33035
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately to apply the security fix
- If immediate upgrade is not possible, restrict access to the AVideo platform or place it behind authentication
- Add the HttpOnly and Secure flags to the PHPSESSID cookie configuration
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
Patch Information
The vulnerability has been fixed in WWBN AVideo version 26.0. The patch (commit cca6196f4072cb9acc39b1030fb8fb1702b4f69b) introduces HTML-safe content handling functions that properly sanitize user input before rendering. Organizations should upgrade to version 26.0 or apply the specific commit fix. For detailed patch information, refer to the GitHub Security Advisory and GitHub Commit Details.
Workarounds
- Configure web server to set HttpOnly and Secure flags on all session cookies
- Deploy a reverse proxy or WAF with XSS filtering enabled to block malicious payloads
- Implement strict Content Security Policy headers that disable inline script execution
- Consider temporarily disabling public access to the video platform until patching is complete
# Apache configuration to add HttpOnly flag to cookies
# Add to .htaccess or Apache configuration file
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Nginx configuration for CSP headers
# Add to server or location block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
