CVE-2026-33035

Name of the Vulnerable Software and Affected Versions AVideo versions 25.0 and below

Description AVideo, an open source video platform, contains a reflected Cross-Site Scripting (XSS) issue. An unauthenticated attacker can execute arbitrary JavaScript in a victim's browser by manipulating a URL parameter. User input from a URL parameter is processed by PHP's json encode() function and then rendered within a JavaScript function using innerHTML, bypassing encoding and enabling full script execution. The root cause is the combination of unescaped user input passed to JavaScript and the use of innerHTML which renders HTML tags as executable DOM. The attack can potentially lead to session hijacking, account takeover, credential phishing through injected login forms, self-propagating payload distribution, and administrative account compromise. The vulnerability stems from the lack of proper input sanitization and insufficient cookie security, specifically the absence of the HttpOnly flag on the PHPSESSID cookie. The vulnerable code is located in view/videoNotFound.php and view/js/script.js.

Recommendations Versions prior to 26.0 should be updated. As a fix, escape HTML in PHP using JSON HEX TAG | JSON HEX AMP with json encode(). Alternatively, use textContent instead of innerHTML in the JavaScript code.