Stored Cross-Site Scripting Vulnerability in WWBN AVideo YouTubeAPI Plugin
CVE-2026-50183

4.7MEDIUM

Key Information:

Vendor

Wwbn

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-50183?

The WWBN AVideo platform, an open-source video solution, is vulnerable to a stored Cross-Site Scripting (XSS) attack via its YouTubeAPI plugin. In versions 29.0 and below, the plugin outputs the snippet.title from the YouTube Data API into the homepage gallery without proper HTML encoding. This allows malicious users to inject custom HTML via video titles. When a title containing JavaScript is set by a video uploader, each visitor to the AVideo site, including administrators, may inadvertently execute this script. The JavaScript payload could perform unauthorized actions, such as creating new users or altering configurations, compromising the security of the platform. This XSS vulnerability persists in the cache for up to one hour, even if the offending video is removed from YouTube. Mitigation measures have been implemented in recent updates, as documented in updates from WWBN.

Affected Version(s)

AVideo <= 29.0

References

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.