CVE-2026-50183 in AVideoinfo

Summary

by MITRE • 07/16/2026

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a stored Cross-Site Scripting vulnerability in the YouTubeAPI plugin. The plugin renders the snippet.title field returned by the YouTube Data API into the homepage gallery markup with no HTML encoding. The title is set by the YouTube video uploader (anyone in the world) and is treated by AVideo as trusted content. A YouTube uploader who controls a video matching the operator's configured query injects HTML into the AVideo homepage by setting their video's title to a JavaScript-bearing string; the payload then executes in the browser of every visitor who loads any page that renders the gallery. When the visitor is an AVideo administrator, the injected JavaScript performs any admin action (create user, promote to admin, change configuration, install plugin) that uses cookie-based authentication without an additional CSRF token, escalating the bug into full administrative takeover. The payload persists for the duration of cacheTimeout (default 3600 seconds) after the malicious title is set on YouTube and survives YouTube removing the hostile video for the same window. This issue has been addressed by commit https://github.com/WWBN/AVideo/commit/7292129eaee5f609beae103b5cb387d55f17b877.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The stored cross-site scripting vulnerability in AVideo versions 29.0 and below represents a critical security flaw within the YouTubeAPI plugin that enables remote code execution through user-controlled content. This vulnerability stems from improper HTML encoding of the snippet.title field returned by the YouTube Data API, creating an attack vector where malicious actors can inject arbitrary JavaScript into the platform's homepage gallery markup. The flaw exists because AVideo treats all content from YouTube as trusted without proper sanitization, allowing any external user to manipulate the system through legitimate video title fields that are subsequently rendered in the application's user interface.

The technical implementation of this vulnerability operates through a multi-layered attack chain that begins with a malicious YouTube uploader setting a specially crafted title containing JavaScript code. When AVideo processes this title for display in the homepage gallery, the lack of HTML encoding allows the payload to execute in the context of every visitor's browser who loads pages containing the affected gallery component. This stored XSS vulnerability is particularly dangerous because it persists for the duration of the cache timeout period, which defaults to 3600 seconds, meaning that even if the malicious video is removed from YouTube, the injected content continues to serve the payload to users. The vulnerability also maintains persistence across YouTube's removal of the hostile video due to the local caching mechanism within AVideo's system.

The operational impact of this vulnerability extends far beyond simple script execution, as it enables full administrative takeover when victims are AVideo administrators. This escalation occurs because the injected JavaScript can perform any admin action that relies on cookie-based authentication without additional CSRF protection mechanisms. The attack leverages the principle of least privilege by exploiting the trust model where YouTube content is automatically rendered without sanitization, creating a path for privilege escalation that bypasses normal access controls. This vulnerability directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation, which specifically addresses cross-site scripting flaws in web applications.

The attack surface is significantly expanded by the fact that this vulnerability affects all users who load pages containing the vulnerable gallery component, making it a persistent threat that can compromise multiple system administrators over time. The lack of CSRF token validation in administrative functions creates an additional weakness that allows attackers to perform unauthorized actions with elevated privileges. This vulnerability aligns with ATT&CK technique T1059.007: Command and Scripting Interpreter: JavaScript, as the attack vector specifically targets JavaScript execution within web browsers, and T1496: Resource Hijacking, since the malicious code can manipulate system resources through administrative functions. The persistence mechanism through cache timeouts also demonstrates characteristics of T1566: Phishing, as it creates a prolonged window where unsuspecting administrators may be compromised.

Mitigation strategies should focus on implementing proper HTML encoding for all user-provided content before rendering in web interfaces, establishing input validation for titles and other metadata fields, and implementing CSRF protection for administrative functions. The fix implemented in commit 7292129eaee5f609beae103b5cb387d55f17b877 addresses the core issue by ensuring that YouTube API responses are properly sanitized before display, preventing malicious payloads from executing in user browsers. Additional security measures include implementing content security policies to restrict script execution, regularly auditing external content integration points, and establishing monitoring for unusual administrative activity that might indicate compromise. Organizations should also consider implementing rate limiting for content imports and regular security scanning of third-party integrations to prevent similar vulnerabilities from emerging in other components of their systems.

Responsible

GitHub M

Reservation

06/04/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!