Reflected XSS Vulnerability in AVideo Open Source Video Platform
CVE-2026-50182

6.1MEDIUM

Key Information:

Vendor

Wwbn

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-50182?

AVideo, an open-source video platform, has a vulnerability in versions before 29.0 that allows unauthenticated reflected XSS attacks. This occurs through the AVideo YouTubeAPI Gallery Pagination, where the user input in the 'search' query parameter is directly inserted into the href attributes without proper sanitization. An attacker can craft a malicious URL that, when followed, executes arbitrary JavaScript within the context of the AVideo site, potentially leading to the hijacking of sessions and unauthorized administrative actions. This can allow attackers to create users, elevate privileges, change configurations, and install plugins, thereby compromising the entire application security. A fix has been implemented in subsequent releases.

Affected Version(s)

AVideo <= 29.0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.