GHSA-GC3M-4MCR-H3PV
Vulnerability from github – Published: 2026-03-19 17:12 – Updated: 2026-03-25 18:35Summary
WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page.
Details
At line 59 of the affected file, the following PHP code constructs a JavaScript function call:
downloadURLOrAlertError(url, {}, '<?php echo $video['clean_title']; ?>.' + format, progress);
The clean_title value is echoed verbatim inside a single-quoted JavaScript string literal. No JavaScript-context escaping is applied, such as wrapping with json_encode or htmlspecialchars with appropriate flags. Because the value sits inside a JS string delimited by single quotes, any input containing a single quote character allows an attacker to terminate the string prematurely and inject arbitrary JavaScript expressions. The clean_title field is derived from user-supplied video title input, meaning any user with video creation or editing privileges can craft a malicious title. The injected script executes in the security context of whatever user loads the download page for that video, which may include administrators or authenticated users with elevated privileges.
PoC
import requests
target = "https://example.com"
login_url = f"{target}/user"
upload_url = f"{target}/video/addNew"
session = requests.Session()
session.post(login_url, data={
"user[user]": "attacker",
"user[pass]": "attackerpassword"
})
malicious_title = "');alert(document.cookie);//"
session.post(upload_url, data={
"title": malicious_title,
"description": "poc"
})
After the video is created, navigate to:
https://example.com/plugin/CDN/downloadButtons.php?videos_id=<TARGET_VIDEO_ID>
The rendered page will contain:
downloadURLOrAlertError(url, {}, '');alert(document.cookie);//.' + format, progress);
Impact
Any user who can create or edit a video can store malicious JavaScript that will execute in the browser of any other user who visits the download page for that video. This includes scenarios where an attacker with a low-privilege account targets administrator sessions. Successful exploitation enables session cookie theft, credential harvesting, and actions performed on behalf of the victim within the application. Because the payload is stored server-side and triggers without further attacker interaction, all users who access download pages for attacker-controlled videos are at risk.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "wwbn/avideo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33295"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T17:12:19Z",
"nvd_published_at": "2026-03-22T17:17:09Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin\u0027s download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page.\n\n### Details\n\nAt line 59 of the affected file, the following PHP code constructs a JavaScript function call:\n\n```php\ndownloadURLOrAlertError(url, {}, \u0027\u003c?php echo $video[\u0027clean_title\u0027]; ?\u003e.\u0027 + format, progress);\n```\n\nThe `clean_title` value is echoed verbatim inside a single-quoted JavaScript string literal. No JavaScript-context escaping is applied, such as wrapping with `json_encode` or htmlspecialchars with appropriate flags. Because the value sits inside a JS string delimited by single quotes, any input containing a single quote character allows an attacker to terminate the string prematurely and inject arbitrary JavaScript expressions. The `clean_title` field is derived from user-supplied video title input, meaning any user with video creation or editing privileges can craft a malicious title. The injected script executes in the security context of whatever user loads the download page for that video, which may include administrators or authenticated users with elevated privileges.\n\n### PoC\n\n```python\nimport requests\n\ntarget = \"https://example.com\"\nlogin_url = f\"{target}/user\"\nupload_url = f\"{target}/video/addNew\"\n\nsession = requests.Session()\n\nsession.post(login_url, data={\n \"user[user]\": \"attacker\",\n \"user[pass]\": \"attackerpassword\"\n})\n\nmalicious_title = \"\u0027);alert(document.cookie);//\"\n\nsession.post(upload_url, data={\n \"title\": malicious_title,\n \"description\": \"poc\"\n})\n```\n\nAfter the video is created, navigate to:\n\n```\nhttps://example.com/plugin/CDN/downloadButtons.php?videos_id=\u003cTARGET_VIDEO_ID\u003e\n```\n\nThe rendered page will contain:\n\n```javascript\ndownloadURLOrAlertError(url, {}, \u0027\u0027);alert(document.cookie);//.\u0027 + format, progress);\n```\n\n### Impact\n\nAny user who can create or edit a video can store malicious JavaScript that will execute in the browser of any other user who visits the download page for that video. This includes scenarios where an attacker with a low-privilege account targets administrator sessions. Successful exploitation enables session cookie theft, credential harvesting, and actions performed on behalf of the victim within the application. Because the payload is stored server-side and triggers without further attacker interaction, all users who access download pages for attacker-controlled videos are at risk.",
"id": "GHSA-gc3m-4mcr-h3pv",
"modified": "2026-03-25T18:35:10Z",
"published": "2026-03-19T17:12:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33295"
},
{
"type": "WEB",
"url": "https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833"
},
{
"type": "PACKAGE",
"url": "https://github.com/WWBN/AVideo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AVideo Affected by Stored XSS via Unescaped Video Title in CDN downloadButtons.php"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.