CVE-2026-41061

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description An issue exists where the isValidDuration() function at 'objects/video.php:918' uses a regular expression /^[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}/ that lacks a $ end anchor. This allows arbitrary HTML or JavaScript to be appended after a valid duration prefix. The crafted duration is stored in the database and rendered without HTML escaping via the Video::getCleanDuration() function on trending pages, playlist pages, and video gallery thumbnails, leading to stored cross-site scripting (XSS), which is a method where malicious scripts are permanently stored on a target server.

Recommendations Update to a version containing commit bcba324644df8b4ed1f891462455f1cd26822a45.