CVE-2026-27568

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 21.0 AVideo version 18.0

Description AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. The issue is a Stored Cross-Site Scripting (XSS) as defined by CWE-79.

Recommendations Versions prior to 21.0 should be updated to version 21.0 or later. For AVideo version 18.0, validate and block unsafe URI schemes (e.g., javascript:) before rendering Markdown. Enable Parsedown Safe Mode.