Cross-site scripting in AVideo - CVE-2026-33683
Published: May 4, 2026
Vulnerability identifier: #VU129519
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33683
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the channel about field when processing user-supplied profile content. A remote user can submit crafted HTML or script content to execute arbitrary JavaScript in another user's browser.
User interaction is required when a victim visits the attacker's channel page.
How to mitigate CVE-2026-33683
Install security update from vendor's website.