{"id":"CVE-2026-33295","summary":"AVideo Vulnerable to Stored XSS via Unescaped Video Title in CDN downloadButtons.php","details":"WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The `clean_title` field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page. Version 26.0 fixes the issue.","aliases":["GHSA-gc3m-4mcr-h3pv"],"modified":"2026-07-15T01:49:10.142734390Z","published":"2026-03-22T17:00:55.697Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33295.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33295.json"},{"type":"ADVISORY","url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-gc3m-4mcr-h3pv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33295"},{"type":"FIX","url":"https://github.com/WWBN/AVideo/commit/30cdd825fa5778c1d678c2402be2413b84ee4833"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wwbn/avideo","events":[{"introduced":"0"},{"fixed":"aee1e11ee8d9343f87b7643e49cc32924b07979b"},{"fixed":"30cdd825fa5778c1d678c2402be2413b84ee4833"}],"database_specific":{"cpe":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"26.0"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["25.0","24.0","22.0","21.0","18.0","14.3.1","14.3","12.4","11.6","11.5","11.1.1","11.1","11","10.8","8.9.1","8.9","8.7","8.6","8.5","8.1","7.8","7.7","7.6","7.4","7.3","7.2","4.0","3.4","2.7","2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33295.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N"}]}