Cross-Site Scripting Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-39367

5.4MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39367?

WWBN AVideo's EPG feature vulnerabilities arise from improper handling of user-controlled XML data. In affected versions (26.0 and prior), program titles are rendered directly into HTML without adequate sanitization or escaping. This flaw enables users with upload permissions to set a video’s epg_link to host malicious XML files. If a such a link is accessed, JavaScript embedded within elements executes in the browsers of unauthenticated visitors to the public EPG page. This exploit could lead to session hijacking and unauthorized account access, compromising user security dramatically.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-r...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e977...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39367 Data

JSON

Wwbn

What is CVE-2026-39367?

Affected Version(s)

References

CVSS V3.1

Timeline