Reflected XSS Vulnerability in AVideo Open Source Video Platform
CVE-2026-50182
What is CVE-2026-50182?
AVideo, an open-source video platform, has a vulnerability in versions before 29.0 that allows unauthenticated reflected XSS attacks. This occurs through the AVideo YouTubeAPI Gallery Pagination, where the user input in the 'search' query parameter is directly inserted into the href attributes without proper sanitization. An attacker can craft a malicious URL that, when followed, executes arbitrary JavaScript within the context of the AVideo site, potentially leading to the hijacking of sessions and unauthorized administrative actions. This can allow attackers to create users, elevate privileges, change configurations, and install plugins, thereby compromising the entire application security. A fix has been implemented in subsequent releases.
Affected Version(s)
AVideo <= 29.0
