CVE-2026-33499 is a reflected cross-site scripting (XSS) vulnerability identified in the open-source video platform WWBN AVideo, affecting all versions up to and including 26.0. The vulnerability exists in the PHP templates view/forbiddenPage.php and view/warningPage.php, where the $_REQUEST['unlockPassword'] parameter is embedded directly into an HTML <input> tag's attributes without any output encoding or sanitization. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL that breaks out of the value attribute of the input element and inject arbitrary HTML attributes, including JavaScript event handlers. When a victim clicks such a URL, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability is exploitable remotely over the network without authentication but requires user interaction (clicking the malicious link). The scope is considered changed (S:C) because the vulnerability affects the confidentiality and integrity of user data across security boundaries. The CVSS v3.1 base score is 6.1, reflecting medium severity. Although no known exploits are reported in the wild, a patch has been committed (commit f154167251c9cf183ce09cd018d07e9352310457) to sanitize and encode the input properly, mitigating the risk.

The impact of CVE-2026-33499 on organizations using WWBN AVideo can be significant, especially for platforms hosting sensitive or private video content. Successful exploitation allows attackers to execute arbitrary scripts in the context of users' browsers, potentially leading to theft of session cookies, user credentials, or other sensitive information. It can also facilitate phishing attacks by manipulating page content or redirecting users to malicious sites. For organizations relying on AVideo for internal communications, education, or media distribution, this can result in data breaches, loss of user trust, and reputational damage. Since the vulnerability requires user interaction, the risk is somewhat mitigated but remains substantial in environments where users may be tricked into clicking malicious links. The vulnerability does not affect availability directly but compromises confidentiality and integrity. Given the widespread use of AVideo in various countries and sectors, the potential for targeted attacks or mass exploitation exists if the vulnerability is left unpatched.

To mitigate CVE-2026-33499, organizations should immediately upgrade WWBN AVideo to a version that includes the patch (post version 26.0 with commit f154167251c9cf183ce09cd018d07e9352310457 applied). If upgrading is not immediately feasible, implement input validation and output encoding on the unlockPassword parameter to ensure special characters are properly escaped before rendering in HTML attributes. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Educate users to avoid clicking suspicious or unexpected links related to the platform. Additionally, monitor web server logs for unusual URL patterns that may indicate exploitation attempts. Regularly review and test web application security controls, including automated scanning for XSS vulnerabilities. Finally, consider implementing web application firewalls (WAFs) with rules targeting reflected XSS patterns specific to this vulnerability.