CVE-2026-27568

UNKNOWN 0.0

AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.

CWE	CWE-79
Vendor	wwbn
Product	avideo
Published	Feb 24, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

WWBN / AVideo

< 21.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7 github.com: https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7 github.com: https://github.com/WWBN/AVideo/releases/tag/21.0