CVE-2026-33295
AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
3th
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.
| CWE | CWE-79 |
| Vendor | wwbn |
| Product | avideo |
| Published | Mar 22, 2026 |
| Last Updated | Mar 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for wwbn avideo
Be the first to know when new unknown vulnerabilities affecting wwbn avideo are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
WWBN / AVideo
< 26.0