CVE-2026-33683

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description A flaw exists in the order of operations during sanitization of the user profile "about" field. This allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xss esc() function entity-encodes input before the strip specific tags() function can identify and remove dangerous HTML tags. Subsequently, the html entity decode() function reverses the encoding on output, restoring the original malicious HTML.

Recommendations Update to a version after 26.0.