Stored Cross-Site Scripting Vulnerability in WWBN AVideo YouTubeAPI Plugin
CVE-2026-50183
What is CVE-2026-50183?
The WWBN AVideo platform, an open-source video solution, is vulnerable to a stored Cross-Site Scripting (XSS) attack via its YouTubeAPI plugin. In versions 29.0 and below, the plugin outputs the snippet.title from the YouTube Data API into the homepage gallery without proper HTML encoding. This allows malicious users to inject custom HTML via video titles. When a title containing JavaScript is set by a video uploader, each visitor to the AVideo site, including administrators, may inadvertently execute this script. The JavaScript payload could perform unauthorized actions, such as creating new users or altering configurations, compromising the security of the platform. This XSS vulnerability persists in the cache for up to one hour, even if the offending video is removed from YouTube. Mitigation measures have been implemented in recent updates, as documented in updates from WWBN.
Affected Version(s)
AVideo <= 29.0
