CVE-2026-39367

Publication date

2026-04-07 19:22:07

Family

GitHub_M

State

PUBLISHED

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideos EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a videos epg_link to a malicious XML file whose elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.</p> </div> </div> </div> </div> </div> </div> </div> <footer> <div class="container py-4 py-lg-10"> <hr> <div class="text-muted d-flex justify-content-between align-items-center pt-3" style="text-align: center;"> <p class="mb-10"><center>Copyright © 2026 eXtreme Hosting</center></p> <p class="mb-10"><center><a href="/gdpr/">Privacy Policy GDPR/AVG</a> | <a href="/algemene-voorwaarden/">Algemene voorwaarden</a></center></p> </div> </div> </footer> <script src="/template/assets/bootstrap/js/bootstrap.min.js"></script> <script src="/template/assets/js/startup-modern.js"></script> </body> </html><img style="display: none;" src="https://telemetry.extremehosting.nl/Analy/?api=0C44A78F-C43E-4700-990A-0F40CE4B4A51&dtt=1746954019&urr=https://extremehosting.nl/cve/cve-details/CVE-2026-39367" />