CVE-2026-41063 Overview
CVE-2026-41063 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in WWBN AVideo, an open source video platform. Versions 29.0 and below ship an incomplete XSS fix in the ParsedownSafeWithLinks class. The class overrides inlineMarkup to strip raw HTML but fails to override inlineLink() and inlineUrlTag(). This omission allows javascript: URLs embedded in standard markdown link syntax to bypass sanitization. Authenticated users who can post markdown content can inject scripts that execute in another viewer's browser session.
Critical Impact
Authenticated attackers can inject javascript: URIs through markdown links, executing arbitrary script in victim browsers and enabling session hijacking, credential theft, or unauthorized actions within the AVideo platform.
Affected Products
- WWBN AVideo versions 29.0 and below
- Component: objects/functionsSecurity.php (ParsedownSafeWithLinks class)
- Markdown rendering paths exposing inlineLink() and inlineUrlTag()
Discovery Timeline
- 2026-04-21 - CVE-2026-41063 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-41063
Vulnerability Analysis
AVideo extends the Parsedown markdown library with a ParsedownSafeWithLinks subclass intended to neutralize unsafe HTML. The original mitigation overrode inlineMarkup() so raw <script> tags or inline event handlers were stripped before rendering. However, Parsedown also exposes inlineLink() for the [text](url) syntax and inlineUrlTag() for <url> auto-links, both of which directly produce href attributes from user input. Because the subclass did not override these methods, an attacker could supply a markdown link such as [click](javascript:alert(document.cookie)) and Parsedown would emit a fully functional anchor element pointing at the JavaScript URI.
When another authenticated user activates the link, the script runs under AVideo's origin. The attacker inherits the victim's session and can act as that user inside the platform. Exploitation requires that the attacker can post markdown content and that a victim interacts with the rendered link, consistent with the user interaction requirement in the CVSS vector.
Root Cause
The root cause is incomplete sanitization. The fix scope covered raw HTML through inlineMarkup() but did not enforce a protocol whitelist on URL-bearing markdown constructs. Any scheme accepted by the browser, including javascript:, vbscript:, and data:, was preserved in the rendered output.
Attack Vector
An authenticated user submits markdown containing a link whose URL uses the javascript: scheme. The application stores and later renders the content as HTML. A second user views the page and clicks the link, triggering script execution in the AVideo origin. Auto-link syntax <javascript://...> provides an equivalent path through inlineUrlTag().
return parent::blockMarkup($Line);
}
+ protected function inlineLink($Excerpt)
+ {
+ $Link = parent::inlineLink($Excerpt);
+
+ if ($Link === null) {
+ return null;
+ }
+
+ $href = isset($Link['element']['attributes']['href']) ? $Link['element']['attributes']['href'] : '';
+
+ // Apply the same whitelist as sanitizeATag: http(s), mailto, relative paths, page anchors.
+ // Anything else (javascript:, vbscript:, data:, ...) is stripped.
+ if ($href !== '' && !preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $href)) {
+ $Link['element']['attributes']['href'] = '';
+ }
+
+ return $Link;
+ }
+
protected function inlineMarkup($Excerpt)
{
if (strpos($Excerpt['text'], '>') === false) {
Source: WWBN AVideo commit 3ae02fa. The patch overrides inlineLink() and enforces a protocol whitelist permitting only http(s)://, mailto:, relative paths, and anchors.
return $Link;
}
+ protected function inlineUrlTag($Excerpt)
+ {
+ $Link = parent::inlineUrlTag($Excerpt);
+
+ if ($Link === null) {
+ return null;
+ }
+
+ $href = isset($Link['element']['attributes']['href']) ? $Link['element']['attributes']['href'] : '';
+
+ // Auto-link syntax <url> — apply the same protocol whitelist.
+ // The base regex requires scheme:// so javascript:// is the realistic bypass vector.
+ if ($href !== '' && !preg_match('/^https?:\/\//i', $href)) {
+ $Link['element']['attributes']['href'] = '';
+ }
+
+ return $Link;
+ }
Source: WWBN AVideo commit cae8f0d. This follow-up adds the same protocol enforcement to inlineUrlTag() for the <url> auto-link syntax.
Detection Methods for CVE-2026-41063
Indicators of Compromise
- Markdown content stored in AVideo records that contains javascript:, vbscript:, or data: URI schemes in link syntax.
- Rendered anchor tags whose href attribute begins with anything other than http://, https://, mailto:, /, or #.
- Web access logs showing unexpected outbound calls to attacker-controlled hosts immediately after a victim visits a content page.
- Session cookies or CSRF tokens appearing in referrer headers or query strings sent to external domains.
Detection Strategies
- Scan the AVideo database for markdown fields matching the regex \]\(\s*javascript: or <\s*javascript:.
- Inspect HTTP response bodies for anchor tags whose href does not match the whitelist applied by the patch.
- Correlate authenticated content submissions with subsequent clicks generating anomalous JavaScript activity in the same session.
Monitoring Recommendations
- Enable HTTP response logging on AVideo reverse proxies and alert on href="javascript: substrings.
- Forward web server and application logs to a centralized analytics platform and build queries for markdown abuse patterns.
- Monitor account creation followed quickly by markdown post activity, a common precursor to stored XSS abuse.
How to Mitigate CVE-2026-41063
Immediate Actions Required
- Update AVideo to a release that includes commits 3ae02fa240939dbefc5949d64f05790fd25d728d and cae8f0dadbdd962c89b91d0095c76edb8aadcacf.
- Audit existing user-generated content for stored javascript: payloads and remove or neutralize affected records.
- Force session invalidation for accounts that may have viewed malicious links during the exposure window.
- Restrict markdown posting privileges to trusted roles until patching is verified.
Patch Information
The fix is delivered in two commits to objects/functionsSecurity.php. Commit 3ae02fa overrides inlineLink() to enforce a protocol whitelist of http(s)://, mailto:, relative paths, and anchors. Commit cae8f0d extends the same enforcement to inlineUrlTag() for auto-link syntax. Both must be applied. Refer to the GHSA-72h5-39r7-r26j advisory and GHSA-m7r8-6q9j-m2hc advisory for vendor guidance.
Workarounds
- Deploy a Content Security Policy (CSP) that disallows inline script execution and javascript: URIs, for example script-src 'self'.
- Place a web application firewall rule in front of AVideo that rejects request bodies containing ](javascript: or <javascript: patterns.
- Disable markdown rendering features for untrusted user roles until the patched version is deployed.
# Apply the upstream fixes to a local AVideo checkout
cd /var/www/AVideo
git fetch origin
git cherry-pick 3ae02fa240939dbefc5949d64f05790fd25d728d
git cherry-pick cae8f0dadbdd962c89b91d0095c76edb8aadcacf
# Example CSP header for the AVideo virtual host (nginx)
# add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
