GHSA-RCQW-6466-3MV7

Vulnerability from github – Published: 2026-02-20 21:15 – Updated: 2026-02-24 16:27
VLAI?
Summary
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
Details

Vulnerability Type

Stored Cross-Site Scripting (XSS) — CWE-79.

Affected Product/Versions

AVideo 18.0.

Root Cause Summary

AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links.

Impact Summary

An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.

Resolution/Fix

The issue was confirmed and fixed in the master branch. An official release will be published soon.

Workarounds

Until the release is available, validate and block unsafe URI schemes (e.g., javascript:) before rendering Markdown, and enable Parsedown Safe Mode.

Credits/Acknowledgement

Reported by Arkadiusz Marta (https://github.com/arkmarta/).

Severity ?
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T21:15:06Z",
    "nvd_published_at": "2026-02-24T15:21:38Z",
    "severity": "MODERATE"
  },
  "details": "## Vulnerability Type\nStored Cross-Site Scripting (XSS) \u2014 CWE-79.\n\n## Affected Product/Versions\nAVideo 18.0.\n\n## Root Cause Summary\nAVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links.\n\n## Impact Summary\nAn authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.\n\n## Resolution/Fix\nThe issue was confirmed and fixed in the master branch. An official release will be published soon.\n\n## Workarounds\nUntil the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.\n\n## Credits/Acknowledgement\nReported by Arkadiusz Marta (https://github.com/arkmarta/).",
  "id": "GHSA-rcqw-6466-3mv7",
  "modified": "2026-02-24T16:27:02Z",
  "published": "2026-02-20T21:15:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27568"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/releases/tag/21.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AVideo has Stored Cross-Site Scripting via Markdown Comment Injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.