XSS Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-41063

5.4MEDIUM

Key Information:

Vendor

Wwbn

Status
Avideo
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41063?

AVideo, an open source video platform developed by WWBN, contains a Cross-Site Scripting (XSS) vulnerability in versions 29.0 and earlier. The flaw resides in the ParsedownSafeWithLinks class, where an incomplete fix allows for raw HTML to override certain sanitization functions. Specifically, the methods inlineLink() and inlineUrlTag() do not prevent javascript: URLs within markdown links from being executed, thus posing a significant security risk. An updated patch is available to mitigate this vulnerability.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-m...
x_refsource_CONFIRM
https://github.com/WWBN/AVideo/security/advisories/GHSA-7...
x_refsource_MISC
https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5...
x_refsource_MISC

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.