CVE-2026-41063 MEDIUM

CVE-2026-41063: WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)

Vendor Wwbn

Product AVideo

Weakness CWE-79 · XSS

Published April 21, 2026

Last update April 22, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.

Key dates

02Disclosure timeline

April 21, 2026 CVE published

April 22, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41063

Related vulnerabilities

04Related CVE

CVE-2022-4866 Cross-site Scripting (XSS) - Stored in usememos/memos CVE-2025-50017 WordPress WP Voting Contest plugin <= 5.8 - Cross Site Scripting (XSS) Vulnerability CVE-2024-53742 WordPress Multilevel Referral Affiliate plugin for WooCommerce plugin <= 2.27 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-29022 Session Hijacking via XSS attack in header and session grid in Xibo CMS CVE-2012-10013 Kau-Boy Backend Localization Plugin backend_localization.php cross site scripting