CVE-2026-33295 Overview
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting (XSS) vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
Critical Impact
Attackers with video creation or modification privileges can inject malicious JavaScript that executes in victims' browsers, potentially leading to session hijacking, credential theft, or malware distribution to all users accessing the affected download page.
Affected Products
- WWBN AVideo versions prior to 26.0
- CDN plugin downloadButtons.php component
- All AVideo deployments with CDN plugin enabled
Discovery Timeline
- 2026-03-22 - CVE-2026-33295 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33295
Vulnerability Analysis
This stored cross-site scripting (XSS) vulnerability exists in the CDN plugin's download buttons component of WWBN AVideo. The vulnerability stems from improper handling of user-controlled data when rendering JavaScript code in the downloadButtons.php file. When a user with video creation or modification privileges sets a malicious clean_title value for a video, that value is directly interpolated into a JavaScript string literal without proper encoding or sanitization.
The stored nature of this XSS vulnerability makes it particularly dangerous. Unlike reflected XSS attacks that require social engineering to trick users into clicking malicious links, this vulnerability persists in the database and automatically executes whenever any user visits the affected download page. This enables wide-scale attacks against all platform users.
Root Cause
The root cause is improper output encoding in the _goToURLOrAlertError JavaScript function within plugin/CDN/downloadButtons.php. The $video['clean_title'] variable was being directly embedded into a JavaScript string literal using PHP's string interpolation without the json_encode() function to properly escape special characters. This allowed attackers to break out of the string context and inject arbitrary JavaScript code.
Attack Vector
The attack vector is network-based and requires low privileges (ability to create or modify video content) combined with user interaction (victim must visit the download page). An attacker would:
- Create or modify a video entry with a malicious clean_title containing JavaScript payload
- Wait for victims to navigate to the download page for that video
- The malicious JavaScript executes in the victim's browser context with full access to cookies, session tokens, and DOM manipulation capabilities
<script>
function _goToURLOrAlertError(url, progress, format) {
avideoToastSuccess(<?php echo json_encode(__('Downloading') . '... ' . $video['title']); ?>);
- downloadURLOrAlertError(url, {}, '<?php echo $video['clean_title']; ?>.' + format, progress);
+ downloadURLOrAlertError(url, {}, <?php echo json_encode($video['clean_title']); ?> + '.' + format, progress);
}
</script>
<?php
Source: GitHub Commit
Detection Methods for CVE-2026-33295
Indicators of Compromise
- Unusual JavaScript payloads in video clean_title database fields
- Reports of unexpected browser behavior when accessing video download pages
- Suspicious characters or script tags in video metadata entries
- Web application firewall logs showing XSS patterns in video title submissions
Detection Strategies
- Monitor video creation and modification API calls for JavaScript injection patterns
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Review database entries for the clean_title field containing suspicious characters such as <, >, ', ", or JavaScript event handlers
- Deploy web application firewall rules targeting XSS payloads in video metadata fields
Monitoring Recommendations
- Enable detailed logging on video creation and update endpoints
- Configure browser-side CSP violation reporting to capture attempted XSS exploitation
- Set up alerts for database queries containing script-related strings in video metadata
- Regularly audit video content database for anomalous title entries
How to Mitigate CVE-2026-33295
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Audit existing video database entries for potentially malicious clean_title values
- Implement Content Security Policy headers to reduce XSS impact while patching
- Review recent video creation logs for suspicious activity
Patch Information
The vulnerability is fixed in WWBN AVideo version 26.0. The patch applies proper JSON encoding to the clean_title variable using PHP's json_encode() function, which correctly escapes special characters before embedding the value in JavaScript context. The fix is available in commit 30cdd825fa5778c1d678c2402be2413b84ee4833.
For detailed patch information, see the GitHub Security Advisory and the commit that implements the fix.
Workarounds
- Restrict video creation and modification privileges to trusted administrators only
- Implement server-side input validation to sanitize clean_title values before database storage
- Deploy a web application firewall with XSS detection rules targeting the CDN download endpoint
- Enable Content Security Policy headers with strict script-src directives to mitigate impact
# Example Content Security Policy header configuration for Apache
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
