PT-2026-34208 · Wwbn · Avideo

Published

2026-04-14

Updated

2026-04-25

CVE-2026-41063

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description An incomplete fix for cross-site scripting in the ParsedownSafeWithLinks class allows the use of javascript: URLs in markdown link syntax to bypass sanitization. This occurs because the inlineMarkup for raw HTML is overridden, but the inlineLink() and inlineUrlTag() functions are not.

Recommendations Update to the version containing commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-41063

GHSA-M7R8-6Q9J-M2HC

Affected Products

Avideo

PT-2026-34208 · Wwbn · Avideo

CVE-2026-41063

Weakness Enumeration

Related Identifiers

Affected Products

References · 11