CVE-2026-47694NVD

Vulnerability Summary

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.

Severity Level

MEDIUM(5.4)

Published Date

May 29, 2026

Last Modified

Jun 1, 2026

Exploitation Status

UNKNOWN

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionRequired

ScopeChanged

ConfidentialityLow

IntegrityLow

AvailabilityNone

External References

https://github.com/WWBN/AVideo/security/advisories/GHSA-c8h8-vq34-9fw2
https://github.com/WWBN/AVideo/security/advisories/GHSA-c8h8-vq34-9fw2