Stored Cross-Site Scripting in AVideo by WWBN
CVE-2026-41061

5.4MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-41061?

AVideo, an open-source video platform, is vulnerable to stored cross-site scripting due to a flaw in the regex validation of video duration. The vulnerability exists in versions 29.0 and below, where the isValidDuration() function allows for arbitrary HTML/JavaScript to be appended after a valid duration prefix, as the regular expression used does not enforce an end anchor. Consequently, crafted durations can be stored in the database and rendered without proper HTML escaping on various pages, such as trending pages and video gallery thumbnails, potentially leading to harmful scripts being executed in the user’s browser. A fix has been implemented in commit bcba324644df8b4ed1f891462455f1cd26822a45.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-8...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/bcba324644df8b4ed1f...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41061 Data

JSON

Wwbn

What is CVE-2026-41061?

Affected Version(s)

References

CVSS V3.1

Timeline