CVE-2026-33500

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description A flaw exists in AVideo that allows for stored cross-site scripting (XSS) through markdown link injection. The fix for a previous issue introduced a custom class, ParsedownSafeWithLinks, intended to sanitize HTML tags in comments, but it inadvertently disabled Parsedown's safe mode. This creates a bypass where markdown link syntax, such as [text](javascript:alert(1)), is not properly sanitized. With safe mode disabled, the built-in javascript URI filtering is inactive, enabling an attacker to inject malicious code via comment markdown links. The issue stems from the inlineLink() method processing markdown links without the sanitization applied to raw HTML tags. The vulnerability could lead to session hijacking, allowing an attacker to steal session cookies and potentially take over accounts, including those with administrative privileges. The payload is stored in the database and triggers for every user who views the page and clicks the link.

Recommendations AVideo versions prior to 26.1: Override the inlineLink() function in the ParsedownSafeWithLinks class to apply URL scheme filtering to markdown-generated links. Alternatively, re-enable safeMode(true) and find a different approach to allow <a> and <img> tags.