CVE-2026-33500 in AVideo
Summary
by MITRE • 03/23/2026
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/28/2026
The vulnerability CVE-2026-33500 affects the WWBN AVideo platform version 26.0 and earlier, representing a critical stored cross-site scripting flaw that emerged from an attempted security fix for a previous vulnerability. This issue demonstrates how security patches can inadvertently introduce new attack vectors when not carefully implemented. The platform's comment system was designed to sanitize user input containing HTML tags, specifically targeting `<a>` and `<img>` elements through a custom `ParsedownSafeWithLinks` class. However, this sanitization approach contained a fundamental flaw that allowed attackers to bypass the intended security controls.
The technical flaw stems from the explicit disabling of Parsedown's built-in `safeMode` within the custom sanitization implementation. While the `ParsedownSafeWithLinks` class correctly handles raw HTML tag sanitization for `<a>` and `<img>` elements through its `sanitizeATag()` method, it fails to account for markdown link syntax processing. When users submit comments containing markdown links such as `[text](javascript:alert(1))`, the Parsedown library processes these through its `inlineLink()` method which operates independently of the custom sanitization logic. This separation occurs because the markdown link syntax is parsed before the raw HTML sanitization step, leaving the javascript: URI scheme unfiltered.
The operational impact of this vulnerability is severe as it allows attackers to inject malicious JavaScript code that executes in the context of other users' browsers when they view affected comments. This stored XSS attack vector enables potential session hijacking, credential theft, data exfiltration, and malicious code execution against unsuspecting users. The vulnerability specifically affects the comment functionality where users can submit content that gets stored and displayed to other platform users. The bypass mechanism exploits the fact that Parsedown's built-in javascript: URI filtering, which would normally prevent such attacks when `safeMode` is enabled, is completely disabled in this implementation.
Security researchers can identify this vulnerability through code analysis of the `ParsedownSafeWithLinks` class implementation and its interaction with Parsedown's core methods. The flaw aligns with CWE-79 (Cross-site Scripting) and represents a classic case of improper input validation where the sanitization process fails to account for all possible input vectors. The ATT&CK framework categorizes this under T1566 (Phishing) and T1059 (Command and Scripting Interpreter) as attackers can use the XSS to redirect users to malicious sites or execute malicious scripts. The vulnerability's root cause can be traced to a lack of comprehensive security testing and insufficient understanding of how markdown parsing interacts with HTML sanitization in the Parsedown library. The patch referenced in commit 3ae02fa240939dbefc5949d64f05790fd25d728d addresses this by properly implementing safe mode or ensuring all link processing pathways are consistently sanitized.
The mitigation strategy requires enabling Parsedown's `safeMode` or implementing comprehensive sanitization that covers all potential attack vectors including markdown syntax, raw HTML, and URL schemes. Organizations should also implement Content Security Policy headers to provide additional protection against XSS attacks. Regular security audits and input validation testing are essential to prevent similar issues in future implementations. The vulnerability serves as a reminder that security fixes must be thoroughly tested across all code paths and that disabling security features for convenience can create dangerous attack surfaces.