CVE-2026-47694 MEDIUM

CVE-2026-47694: WWBN AVideo: Stored XSS via unescaped Gallery category description

Vendor Wwbn

Product AVideo

Weakness CWE-79 · XSS

Published May 29, 2026

Last update May 30, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category description field, separate from previously fixed XSS issues in video titles or comments.

Key dates

02Disclosure timeline

May 29, 2026 CVE published

May 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-47694 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-47694: WWBN AVideo: Stored XSS via unescaped Gallery category description

01Description

02Disclosure timeline

03References

04Related CVE