{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39367", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.350Z", "datePublished": "2026-04-07T19:22:07.732Z", "dateUpdated": "2026-04-08T17:47:40.548Z"}, "containers": {"cna": {"title": "WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"}, {"name": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T19:22:07.732Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover."}], "source": {"advisory": "GHSA-rqp3-gf5h-mrqx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T17:47:37.059400Z", "id": "CVE-2026-39367", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T17:47:40.548Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover."}], "id": "CVE-2026-39367", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T20:16:30.677", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T22:41:28.579220+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest AVideo release (\u226527.0) or apply the patch commit e0212add4aad0f1e97758a4b4fdc57df58ce68e8"], "summary": {"action": "Apply Patch", "impact": "Stored XSS enabling session hijacking"}, "threat_synthesis": {"affected_systems": "All releases of WWBN AVideo version 26.0 and earlier are affected. Users who run these or older versions without the addressed patch are exposed until upgrading to a newer release that sanitizes EPG titles.", "description_and_impact": "The Electronic Program Guide (EPG) of WWBN AVideo imports XML from a user\u2011supplied URL and injects title elements directly into the browser page without sanitization or escaping. When a user with upload permission assigns a video the epg_link field to a malicious XML file containing JavaScript in its <title> tags, that script runs in any browser that loads the public EPG page. The injected code can steal session cookies and take over user accounts, representing a classic stored cross\u2011site scripting flaw. The weakness corresponds to OWASP's CWE\u201179.", "risk_and_exploitability": "The CVSS score of 5.4 places the flaw in a moderate severity range. No EPSS value or KEV listing is available, but the vulnerability requires only an authenticated upload\u2011capable user to supply the malicious XML. Once the XML is stored, every unauthenticated visitor to the EPG page becomes a victim, making the attack vector publicly reachable via web browsers. Though server compromise is not required, the potential for widespread account takeover warrants prompt remediation."}}}}, "created": "2026-04-08T19:34:45.287211+00:00", "updated": "2026-04-08T19:46:20.378637+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}