CVE-2026-41063

CVSS v3.1

5.4

Medium

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's ParsedownSafeWithLinks class overrides inlineMarkup for raw HTML but does not override inlineLink() or inlineUrlTag(), allowing javascript: URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2026-41063

Affected Products

Avideo

CVE-2026-41063

Weakness Enumeration

Related Identifiers

Affected Products

References · 5