CVE-2026-47694

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description AVideo stores category descriptions from user input and renders the category description variable as raw HTML in the Gallery view. A user with permissions to create or edit categories can inject JavaScript into the description field, which then executes when another user or administrator views the affected Gallery or category page. This stored Cross-Site Scripting (XSS) occurs because the value is rendered without proper output encoding or sanitization in the plugin/Gallery/view/mainAreaCategory.php file. An attacker can use this to perform actions as the victim, steal same-origin data, or abuse administrative UI actions.

Recommendations For versions 29.0 and earlier, sanitize category descriptions on input using the same HTML policy as video descriptions or store them as plain text. Additionally, encode the output using htmlspecialchars() or process the description through HTMLPurifier before storage or rendering.