CVE-2026-33499 MEDIUM

CVE-2026-33499: AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

Vendor Wwbn

Product AVideo

Weakness CWE-79 · XSS

Published March 23, 2026

Last update March 23, 2026

View on NVD All CVEs

CVSS base score

6.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `<input>` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.

Key dates

Disclosure timeline

March 23, 2026 CVE published

March 23, 2026 Record updated