CVE-2026-39367

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without sanitization or escaping. A user with upload permission can set a video's epg link to a malicious XML file containing JavaScript within its elements. This payload executes in the browser of any unauthenticated visitor to the public EPG page, potentially enabling session hijacking and account takeover.

Recommendations Update to a version of AVideo newer than 26.0.