CVE-2026-33499 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability identified as CVE-2026-33499 affects the WWBN AVideo platform, specifically targeting versions up to and including 26.0. This security flaw exists within the template files view/forbiddenPage.php and view/warningPage.php which fail to properly sanitize user input before incorporating it into HTML output. The vulnerability stems from the direct reflection of the $_REQUEST['unlockPassword'] parameter into HTML attributes without any form of output encoding or sanitization measures. This represents a classic reflected cross-site scripting vulnerability that allows attackers to inject malicious code through crafted URLs that are subsequently executed in the context of other users' browsers.
The technical implementation of this vulnerability occurs when the application processes user-supplied data from the unlockPassword parameter and directly embeds it into HTML attributes without proper sanitization. When an attacker crafts a malicious URL containing specially formatted input within the unlockPassword parameter, the application reflects this data into the value attribute of an HTML input tag. The lack of proper output encoding creates an opportunity for attackers to escape the intended attribute context and inject additional HTML attributes or JavaScript event handlers. This vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, where the system fails to properly escape or encode output data before rendering it in the browser context.
The operational impact of this vulnerability is significant as it allows an attacker to achieve reflected XSS against any visitor who clicks on the maliciously crafted link. When a user navigates to the specially constructed URL, the malicious JavaScript code becomes part of the HTML document and executes in the victim's browser context. This creates potential for various malicious activities including session hijacking, credential theft, redirection to malicious sites, or execution of arbitrary commands within the victim's browser. The vulnerability affects all users who encounter the affected pages, making it particularly dangerous as it can be exploited through social engineering techniques or by compromising links shared within the platform.
Security mitigations for this vulnerability involve implementing proper output encoding and sanitization practices before incorporating user data into HTML attributes. The patch referenced in commit f154167251c9cf183ce09cd018d07e9352310457 demonstrates the correct approach by ensuring that user input is properly escaped before being rendered in HTML contexts. Organizations should implement input validation and output encoding mechanisms that prevent malicious data from being interpreted as HTML or JavaScript code. This includes using appropriate HTML escaping functions when rendering user-supplied data into attributes, implementing Content Security Policy headers to limit script execution, and conducting regular security assessments to identify similar vulnerabilities in other parts of the application. The ATT&CK framework categorizes this as a reflected XSS technique under T1059.007 which involves executing code through web application vulnerabilities.