CVE-2026-47694: Wwbn Avideo XSS Vulnerability

CVE-2026-47694 Overview

CVE-2026-47694 is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo, an open source video platform. The flaw affects version 29.0 and earlier. AVideo stores user-supplied category descriptions and later renders the category_description field as raw HTML in the Gallery view. A user with permission to create or edit categories can inject JavaScript that executes when other users browse the affected Gallery or category page. This issue is distinct from previously fixed XSS bugs in video titles and comments. The vulnerability is categorized under CWE-79, Improper Neutralization of Input During Web Page Generation.

Critical Impact

Authenticated users with category management privileges can execute arbitrary JavaScript in the browsers of other users viewing the Gallery, enabling session theft, account takeover, and content tampering.

Affected Products

• WWBN AVideo 29.0
• WWBN AVideo prior to 29.0
• AVideo Gallery view rendering category_description

Discovery Timeline

• 2026-05-29 - CVE-2026-47694 published to NVD
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-47694

Vulnerability Analysis

The vulnerability resides in how AVideo handles category metadata. When an authenticated user creates or edits a category, the platform stores the category description verbatim in the backend. When the Gallery view subsequently renders the category listing, the category_description field is emitted into the HTML response without output encoding or sanitization. This allows attacker-supplied <script> tags or event-handler attributes to execute in the context of any visiting user's browser session.

Because the payload is persisted server-side, every user who loads the affected Gallery page triggers the injected code without further attacker interaction. The scope change in the CVSS vector indicates the executed JavaScript can access resources beyond the vulnerable component, such as cookies, session tokens, and DOM elements belonging to the authenticated user.

Root Cause

The root cause is missing output encoding on the category_description field in the Gallery view template. AVideo treats the stored description as trusted HTML rather than escaping special characters such as <, >, ", and '. Previous fixes addressed XSS in video titles and comments but did not extend the same neutralization to category descriptions.

Attack Vector

An attacker requires a valid AVideo account with permission to create or modify categories. The attacker submits a category description containing JavaScript, for example through <script> blocks or HTML attributes carrying onerror, onload, or onmouseover handlers. When another user, including administrators, navigates to the Gallery or the affected category page, the browser parses the malicious markup and executes the script under the victim's session. The attacker can then exfiltrate session cookies, perform actions on behalf of the victim, or pivot to administrative functions if a privileged user is targeted.

No verified proof-of-concept code is published. See the GitHub Security Advisory GHSA-c8h8-vq34-9fw2 for vendor details.

Detection Methods for CVE-2026-47694

Indicators of Compromise

• Category records containing HTML tags such as <script>, <img>, <svg>, or <iframe> in the category_description column.
• Outbound HTTP requests from user browsers to unfamiliar domains shortly after loading the Gallery page.
• Unexpected session activity or administrative actions originating from accounts that recently viewed category pages.

Detection Strategies

• Query the AVideo database for category descriptions containing angle brackets, JavaScript event handlers, or URL schemes such as javascript: and data:.
• Inspect web server access logs for POST requests to category create or edit endpoints submitted by non-administrative accounts.
• Review Content Security Policy violation reports if CSP is enabled, focusing on inline script violations on Gallery routes.

Monitoring Recommendations

• Enable verbose application logging for category create, update, and delete operations and forward those logs to a centralized SIEM.
• Monitor authentication telemetry for session token reuse across distinct IP addresses, a common post-exploitation signal of stolen cookies.
• Alert on browser-side anomalies such as unexpected DOM modifications or script loads from non-allowlisted origins.

How to Mitigate CVE-2026-47694

Immediate Actions Required

• Upgrade AVideo to a release later than 29.0 that includes the vendor fix referenced in GHSA-c8h8-vq34-9fw2.
• Audit existing category descriptions and remove any entries containing HTML or JavaScript payloads.
• Restrict category creation and edit permissions to trusted administrators until patching is complete.

Patch Information

WWBN published the fix in the AVideo GitHub Security Advisory GHSA-c8h8-vq34-9fw2. Administrators should update to the patched release and verify that the Gallery view applies HTML encoding to category_description output.

Workarounds

• Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins.
• Temporarily disable the Gallery view or hide category descriptions in the template until the patch is deployed.
• Revoke category management privileges from non-administrative users and rotate session cookies for any account that may have viewed tampered category pages.