CVE-2026-33295

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.0

Description WWBN AVideo, an open source video platform, contains a stored cross-site scripting issue in the CDN plugin’s download buttons component. The clean title field of a video record is directly interpolated into a JavaScript string literal without proper escaping. This allows an attacker with video creation or modification privileges to inject arbitrary JavaScript code that will execute in the browser of any user who visits the affected download page. The vulnerability resides in the PHP code at line 59 of the affected file, where the clean title value is echoed verbatim inside a JavaScript string literal. The injected script executes in the security context of the user loading the download page. The vulnerable code constructs a JavaScript function call using the following format: downloadURLOrAlertError(url, {}, '<?php echo $video['clean title']; ?>.' + format, progress);. The clean title field is derived from user-supplied video title input.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later.