Main Vulnerability Database Vulnerabilities #VU125512

#VU125512 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-39367

Published: April 8, 2026

Vulnerability identifier: #VU125512

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-39367

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
AVideo

Software vendor:
World Wide Broadcast Network

Description

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to cross-site scripting in the EPG page when rendering program titles from user-controlled XML content. A remote user can set a video's epg_link to a malicious XML file containing crafted program titles to execute arbitrary script in the victim's browser.

User interaction is required to visit the public EPG page, and the malicious content may persist due to server-side caching.

Remediation

Install security update from vendor's website.

External links

https://github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx

#VU125512 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-39367

Description

Remediation

External links

Please verify you're human