CVE-2026-27568 MEDIUM

CVE-2026-27568: AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

Vendor Wwbn
Product AVideo
Weakness CWE-79 · XSS
Published February 24, 2026
Last update February 27, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
February 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-25618 WordPress wpDataTables plugin <= 2.1.27 - Stored Cross-Site Scripting (XSS) vulnerability CVE-2022-0205 YOP Poll < 6.3.5 - Author+ Stored Cross-Site Scripting CVE-2023-53906 ProjectSend r1605 Stored Cross-Site Scripting via Custom Assets Page CVE-2020-3523 Cisco Data Center Network Manager Cross-Site Scripting Vulnerability CVE-2024-10034 Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery <= 3.2.4.2 - Authenticated (Editor+) Stored Cross-Site Scripting