CVE-2026-33035 is a reflected cross-site scripting (XSS) vulnerability affecting WWBN AVideo, an open-source video platform, in versions 25.0 and earlier. The vulnerability arises from improper neutralization of user input during web page generation, specifically in the handling of a URL parameter that is passed through PHP's json_encode() function and subsequently rendered into the DOM using innerHTML in JavaScript. This combination bypasses standard encoding protections, allowing an attacker to inject and execute arbitrary JavaScript code in the context of the victim's browser. The vulnerable code path involves the videoNotFound.php script passing unescaped user input and the script.js file rendering this input via innerHTML, which executes embedded HTML tags and scripts. Because the vulnerability is reflected and does not require authentication, attackers can craft malicious URLs that, when visited by victims, execute payloads such as stealing session cookies, hijacking accounts, injecting fake login forms for credential phishing, and spreading self-propagating malware. The risk is exacerbated by the absence of the HttpOnly flag on the PHPSESSID cookie, which allows JavaScript access to session tokens. The vulnerability has been addressed in WWBN AVideo version 26.0 by implementing proper input sanitization and safer DOM manipulation techniques. The CVSS 4.0 base score of 5.3 reflects a medium severity level, considering the vulnerability's network attack vector, low attack complexity, no privileges required, but requiring user interaction and limited scope impact.

This vulnerability poses a significant risk to organizations using WWBN AVideo versions 25.0 and below, especially those hosting user-generated or publicly accessible video content. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, including administrators, potentially resulting in full platform compromise. Credential phishing via injected login forms can lead to broader account breaches. The ability to spread self-propagating payloads increases the risk of malware outbreaks within the user base. The lack of HttpOnly on session cookies amplifies the threat by making session tokens accessible to malicious scripts. This can disrupt service availability, compromise data integrity, and leak sensitive user information. Organizations relying on this platform for video delivery or content management may suffer reputational damage, regulatory penalties, and operational disruptions if exploited. Although no known exploits are currently reported in the wild, the ease of exploitation and the public disclosure of the vulnerability increase the likelihood of future attacks.

To mitigate this vulnerability, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the issue is fixed. In addition to patching, implement strict input validation and sanitization on all user-supplied data, especially URL parameters that influence page rendering. Replace unsafe DOM manipulation methods like innerHTML with safer alternatives such as textContent or DOMPurify to prevent script execution. Configure session cookies with the HttpOnly and Secure flags to prevent JavaScript access and ensure cookies are transmitted only over HTTPS. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Conduct regular security audits and penetration testing focused on XSS vulnerabilities. Educate users about the risks of clicking suspicious links and consider implementing multi-factor authentication to reduce the impact of credential theft. Monitor logs for unusual activity that may indicate exploitation attempts.