CVE-2026-33295 is a stored cross-site scripting vulnerability identified in WWBN AVideo, an open-source video platform, affecting versions prior to 26.0. The vulnerability resides in the CDN plugin's download buttons component, specifically in how the clean_title field of a video record is handled. This field is interpolated directly into a JavaScript string literal without any sanitization or escaping, violating secure coding practices and enabling improper neutralization of input (CWE-79). An attacker who can create or modify video entries can inject arbitrary JavaScript code into the clean_title field. When other users visit the affected download page, the malicious script executes in their browsers under the context of the vulnerable site, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. The vulnerability requires the attacker to have at least low privileges (ability to upload or modify videos) and user interaction (visiting the malicious page). The CVSS v4.0 score of 8.2 reflects a high severity, considering the attack vector is network-based with low complexity, no authentication required beyond low privileges, and high impact on confidentiality and partial impact on integrity. The scope is high as it affects all users visiting the compromised pages. WWBN released version 26.0 to fix this issue by implementing proper escaping of the clean_title field before embedding it into JavaScript. No public exploits have been reported yet, but the vulnerability poses a significant risk if left unpatched.

The impact of CVE-2026-33295 is substantial for organizations using WWBN AVideo versions prior to 26.0. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users visiting the affected download pages, leading to session hijacking, theft of authentication tokens, redirection to malicious sites, or unauthorized actions performed on behalf of the user. This can compromise user privacy and trust, potentially leading to data breaches or further exploitation within the organization's network. For platforms hosting sensitive or private video content, the risk is amplified as attackers could manipulate video metadata to spread malware or phishing payloads. Additionally, the vulnerability could be leveraged to conduct targeted attacks against specific user groups or administrators. Given the ease of exploitation and the broad scope of affected users, organizations face reputational damage, regulatory compliance issues, and operational disruptions if the vulnerability is exploited.

To mitigate CVE-2026-33295, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, implement the following specific measures: 1) Restrict permissions to video creation and modification strictly to trusted users to reduce the risk of malicious input injection. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious JavaScript payloads in video metadata fields. 3) Conduct thorough input validation and output encoding on all user-supplied data, especially those interpolated into JavaScript contexts, following OWASP XSS prevention guidelines. 4) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 5) Educate users to be cautious when interacting with video download pages and report suspicious behavior. 6) Consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. These steps, combined with patching, will significantly reduce the risk posed by this vulnerability.