CVE-2026-47694: WWBN AVideo Stored XSS in Category Descriptions (CVSS 5.4)
WWBN AVideo, an open-source video platform, contains a stored cross-site scripting (XSS) vulnerability in how it handles category descriptions. Any user with permission to create or modify video categories can inject malicious JavaScript code into the description field. This code then executes in the browsers of other users who view that category's gallery page. Unlike previously patched XSS issues affecting video titles or comments, this flaw specifically targets the category description rendering pipeline.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47694 is a stored XSS vulnerability in WWBN AVideo version 29.0 and earlier. The application fails to sanitize or encode user-supplied input in the category description field before rendering it as raw HTML in the Gallery view. An authenticated attacker with category creation or edit permissions can inject arbitrary JavaScript that persists in the database and executes in the context of other users' browsers, potentially within a cross-site context depending on the deployment configuration. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation).
Business impact
This vulnerability enables account compromise, session hijacking, and credential theft targeting your user base. Users who view an attacker-modified category page could have their session tokens or authentication cookies stolen, allowing the attacker to impersonate them or access sensitive content. For public or semi-public AVideo deployments, this expands the attack surface beyond authenticated users. Depending on integration with other services, malicious scripts could redirect users to phishing sites, deface content, or perform unauthorized actions on behalf of victims.
Affected systems
WWBN AVideo version 29.0 and all earlier versions are affected. This includes both self-hosted deployments and any managed instances running vulnerable builds. The vulnerability requires authentication to exploit, so it is limited to users or attackers with valid accounts and sufficient permissions to create or edit categories.
Exploitability
Exploitation is straightforward for an attacker with category creation or edit privileges. No special tools, complex techniques, or user interaction beyond viewing the gallery page is required. The stored nature means the attack is persistent—injected code executes every time any user visits the affected category. The CVSS 3.1 score of 5.4 (Medium) reflects the requirement for authentication and user interaction (a victim must view the gallery), but acknowledges the ease of injection and the cross-site impact potential.
Remediation
Upgrade WWBN AVideo to a patched version that properly sanitizes and encodes category description input before rendering. Verify the patch version against the official WWBN AVideo release notes or vendor advisory. As an interim measure, restrict category creation and editing permissions to highly trusted administrators, and audit existing category descriptions for suspicious JavaScript patterns or HTML tags. Enable Content Security Policy (CSP) headers to mitigate stored XSS impact by limiting script execution.
Patch guidance
Check the WWBN AVideo official repository and vendor advisory for the earliest patched version after 29.0. Apply the update through your deployment method (package manager, direct binary, or container image). If you maintain a custom fork or deployment, verify that user input sanitization functions are applied to category_description fields and that output encoding is enforced during HTML rendering in the Gallery view. Test the patch in a staging environment before production rollout.
Detection guidance
Search your AVideo database for category descriptions containing JavaScript keywords (script, onerror, onload, etc.) and HTML entities or tags. Monitor access logs for unusual patterns around category viewing or editing endpoints. Deploy a Web Application Firewall (WAF) rule to flag or block category update requests containing script-like patterns. In version 29.0 and earlier, any category description containing HTML tags or script elements should be treated as a potential indicator of compromise.
Why prioritize this
Although rated Medium severity due to authentication and user-interaction requirements, this vulnerability should be prioritized for timely remediation. Stored XSS flaws are persistent and affect entire user populations; once injected, they silently compromise anyone accessing the affected page. The ease of exploitation by any user with category permissions (even low-privilege accounts) and the potential for credential theft or lateral movement justify rapid patching. Organizations with public or multi-tenant AVideo deployments should treat this as higher priority.
Risk score, explained
The CVSS 3.1 score of 5.4 reflects a Medium severity rating. Positively impacting the score: authentication is required (PR:L), and the attack requires a user to view the gallery (UI:R). However, the attack has cross-site implications (S:C), achieves both confidentiality and integrity impact (C:L, I:L), and is trivial to execute over the network without complex conditions (AV:N, AC:L). The stored nature and persistence of the attack elevate practical risk beyond the base score in real-world deployments.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated users?
No. CVE-2026-47694 requires a valid user account with permissions to create or edit categories. However, the payload executes for all users—including unauthenticated visitors if your gallery is public—who view the affected category page.
How is this different from the previously fixed XSS issues in AVideo?
Earlier patches addressed XSS in video titles and comments. This vulnerability specifically targets the category description field and its rendering path in the Gallery view, representing a separate and distinct code path that was not covered by prior fixes.
What should I do if I cannot update immediately?
Limit category creation and editing permissions to administrators you fully trust. Audit all existing category descriptions for suspicious content. Implement or strengthen Content Security Policy headers to restrict inline script execution. Monitor category viewing patterns for anomalies. These are interim controls, not replacements for patching.
Does this affect AVideo instances behind a firewall or in private networks?
Yes. Network isolation does not mitigate stored XSS. Any user with category permissions—inside or outside the firewall—can inject malicious code. Once stored, it executes for all viewers. Network controls do not replace the need to patch or apply input sanitization.
This analysis is provided for informational purposes and represents the state of information as of the modification date (2026-06-17). Security analysts should verify all patch version numbers, deployment guidance, and affected product configurations against official vendor advisories before implementation. This vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but organizations should assume active exploitation is possible once detailed PoCs circulate. Always validate patches in a controlled environment before production deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45580MEDIUMWWBN AVideo Stored XSS in Live Plugin Stream Key
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide