Main Vulnerability Database Vulnerabilities #VU125512

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-39367

Published: April 8, 2026

Vulnerability identifier: #VU125512

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39367

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the EPG page when rendering program titles from user-controlled XML content. A remote user can set a video's epg_link to a malicious XML file containing crafted program titles to execute arbitrary script in the victim's browser.

User interaction is required to visit the public EPG page, and the malicious content may persist due to server-side caching.

How to mitigate CVE-2026-39367

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-39367

Detailed vulnerability description

How to mitigate CVE-2026-39367

Sources

Please verify you're human