CVE-2026-39367
Last modified
CVE-2026-39367 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. EPSS estimates a 0.19% chance of exploitation in the next 30 days.
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-39367?
How severe is CVE-2026-39367?
How do I fix CVE-2026-39367?
Are you affected by CVE-2026-39367?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST