CVE-2026-33683— AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33683
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` function entity-encodes input before `strip_specific_tags()` can match dangerous HTML tags, and `html_entity_decode()` on output reverses the encoding, restoring the raw malicious HTML. Commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 26.0及之前版本存在跨站脚本漏洞,该漏洞源于用户个人资料about字段的清理操作顺序存在缺陷,可能导致任意注册用户注入并执行恶意JavaScript代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33683
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33683
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-03-23 · 34 CVEs total
| CVE-2026-33478 | 10.0 CRITICAL | AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, |
| CVE-2026-33352 | 9.8 CRITICAL | AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escap |
| CVE-2026-33716 | 9.4 CRITICAL | AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in c |
| CVE-2026-33502 | 9.3 CRITICAL | AVideo has Unauthenticated SSRF via plugin/Live/test.php |
| CVE-2026-33351 | 9.1 CRITICAL | AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaini |
| CVE-2026-33717 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via Persistent PHP Temp File in Encoder downloa |
| CVE-2026-33479 | 8.8 HIGH | AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through |
| CVE-2026-33647 | 8.8 HIGH | AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery Fil |
| CVE-2026-33648 | 8.8 HIGH | AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionH |
| CVE-2026-33507 | 8.8 HIGH | AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Exec |
| CVE-2026-33480 | 8.6 HIGH | AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated Live |
| CVE-2026-33719 | 8.6 HIGH | AVideo Vulnerable to Unauthenticated CDN Configuration Takeover via Empty Default Key Bypa |
| CVE-2026-33513 | 8.6 HIGH | AVideo has an Unauthenticated Local File Inclusion in API locale (RCE possible with writab |
| CVE-2026-33651 | 8.1 HIGH | AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_i |
| CVE-2026-33482 | 8.1 HIGH | AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegComm |
| CVE-2026-33649 | 8.1 HIGH | AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitra |
| CVE-2026-33354 | 7.6 HIGH | AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `a |
| CVE-2026-33650 | 7.6 HIGH | AVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Vid |
| CVE-2026-33512 | 7.5 HIGH | AVideo has an unauthenticated decrypt oracle leaking any ciphertext |
| CVE-2026-33483 | 7.5 HIGH | AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation |
Showing top 20 of 34 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-33683
No comments yet