CVE-2026-41061 Overview
WWBN AVideo, an open source video platform, contains a stored Cross-Site Scripting (XSS) vulnerability in versions 29.0 and below. The isValidDuration() function in objects/video.php:918 uses a regex pattern /^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/ without a $ end anchor, allowing arbitrary HTML/JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via echo Video::getCleanDuration() on trending pages, playlist pages, and video gallery thumbnails, resulting in stored cross-site scripting.
Critical Impact
Attackers can inject malicious scripts that execute in the context of other users' browsers when viewing video listings, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users.
Affected Products
- WWBN AVideo versions 29.0 and below
- WWBN AVideo video gallery and playlist rendering components
- WWBN AVideo trending page functionality
Discovery Timeline
- April 21, 2026 - CVE CVE-2026-41061 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41061
Vulnerability Analysis
This stored XSS vulnerability stems from an incomplete regular expression validation in the video duration field. The application accepts user-controlled duration values that are persisted to the database and later rendered in multiple page contexts without proper output encoding.
The regex pattern used for validation only anchors the beginning of the string with ^, checking that the input starts with a valid HH:MM:SS time format. However, the absence of the $ end anchor means any content appended after the duration prefix passes validation. An attacker can craft a malicious payload like 00:01:23<script>alert(document.cookie)</script> which satisfies the regex check but contains executable JavaScript.
Since the affected rendering function Video::getCleanDuration() echoes the stored value without HTML entity encoding, the malicious script executes whenever any user views the affected pages including trending pages, playlist pages, and video gallery thumbnails.
Root Cause
The root cause is twofold: first, the regex validation in isValidDuration() lacks a proper end anchor ($), allowing arbitrary content to be appended after a valid duration prefix. Second, the output function Video::getCleanDuration() fails to apply HTML escaping before rendering user-controlled data to the page, violating the principle of output encoding.
Attack Vector
This is a network-based attack requiring low privileges (authenticated user) and user interaction (victim must view an affected page). An authenticated attacker uploads a video or modifies video metadata with a malicious duration value. The payload bypasses the flawed regex validation and is stored in the database. When other users (including administrators) browse trending pages, playlists, or video galleries, the stored JavaScript executes in their browser context, potentially allowing session theft, account takeover, or further attack propagation.
// Vulnerable validation regex (before fix)
return preg_match('/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/', $duration);
// Fixed validation regex with $ anchor (after patch)
// SECURITY: $ anchor is required — without it, arbitrary content after a valid
// HH:MM:SS prefix passes validation and can be stored/rendered as XSS.
// Optional decimal-seconds suffix (e.g. 00:01:23.456) is allowed.
return preg_match('/^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}(\.[0-9]+)?$/', $duration);
Source: GitHub Commit Reference
Detection Methods for CVE-2026-41061
Indicators of Compromise
- Presence of HTML tags or JavaScript within video duration fields in the database (e.g., 00:01:23<script>)
- Unusual duration values containing special characters such as <, >, ", or '
- Database entries in video tables with duration fields exceeding expected length for time strings
Detection Strategies
- Implement database queries to audit video duration fields for any values containing HTML special characters or exceeding typical time format lengths
- Review web server access logs for requests containing suspicious payload patterns targeting video upload or edit endpoints
- Deploy Web Application Firewall (WAF) rules to detect XSS payload patterns in form submissions to video management endpoints
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting to detect inline script execution attempts that may indicate XSS exploitation
- Monitor for unusual session activity following video page views, which could indicate session hijacking via XSS
- Configure logging for database modifications to video metadata fields to identify injection attempts
How to Mitigate CVE-2026-41061
Immediate Actions Required
- Upgrade WWBN AVideo to a version containing commit bcba324644df8b4ed1f891462455f1cd26822a45 or later
- Audit existing database records for malicious content in video duration fields and sanitize any compromised entries
- Implement Content Security Policy headers to mitigate impact of any unpatched XSS vulnerabilities
Patch Information
The vulnerability has been addressed in commit bcba324644df8b4ed1f891462455f1cd26822a45. The fix modifies the regex pattern in isValidDuration() to include a proper $ end anchor, ensuring only valid duration formats are accepted. The updated pattern /^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}(\.[0-9]+)?$/ strictly validates the entire input string while still allowing optional decimal seconds notation.
For more details, see the GitHub Security Advisory and the patch commit.
Workarounds
- Implement server-side input sanitization by stripping all HTML tags from duration values before storage
- Apply output encoding using htmlspecialchars() or equivalent when rendering duration values in templates
- Deploy WAF rules to block requests containing HTML/JavaScript payloads in video metadata fields
# Database audit query to identify potentially compromised records
mysql -u admin -p -e "SELECT id, duration FROM videos WHERE duration REGEXP '[<>\"'\''&]' OR LENGTH(duration) > 15;" avideo_db
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
