Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
AVideo allows malicious code injection in video comments
CVE-2026-27568
GHSA-rcqw-6466-3mv7
Summary
AVideo's video comment feature allows a malicious user to inject code that can steal user sessions, take over admin accounts, and steal data when another user clicks on a link. This is a serious security risk. To protect yourself, update to the latest version when it's released, or modify your AVideo settings to prevent the use of certain types of links.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 21.0 | – |
Original title
AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
Original description
## Vulnerability Type
Stored Cross-Site Scripting (XSS) — CWE-79.
## Affected Product/Versions
AVideo 18.0.
## Root Cause Summary
AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links.
## Impact Summary
An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.
## Resolution/Fix
The issue was confirmed and fixed in the master branch. An official release will be published soon.
## Workarounds
Until the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.
## Credits/Acknowledgement
Reported by Arkadiusz Marta (https://github.com/arkmarta/).
Stored Cross-Site Scripting (XSS) — CWE-79.
## Affected Product/Versions
AVideo 18.0.
## Root Cause Summary
AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links.
## Impact Summary
An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.
## Resolution/Fix
The issue was confirmed and fixed in the master branch. An official release will be published soon.
## Workarounds
Until the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.
## Credits/Acknowledgement
Reported by Arkadiusz Marta (https://github.com/arkmarta/).
nvd CVSS3.1
6.1
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7 Patch
- https://github.com/WWBN/AVideo/releases/tag/21.0 Release Notes
- https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-27568
- https://github.com/advisories/GHSA-rcqw-6466-3mv7
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026