CVE-2026-33500 is a medium severity stored cross-site scripting (XSS) vulnerability affecting WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The vulnerability stems from a flawed fix for a previous XSS issue (CVE-2026-27568) where a custom class, ParsedownSafeWithLinks, was introduced to sanitize raw HTML <a> and <img> tags in user comments. However, this fix explicitly disables Parsedown's safeMode, which normally filters unsafe URIs such as javascript: schemes in markdown links. Consequently, markdown link syntax like [text](javascript:alert(1)) bypasses the custom sanitization because the inlineLink() method processes these links without invoking the sanitizeATag() method. With safeMode disabled, Parsedown's internal javascript: URI filtering is also inactive, allowing malicious JavaScript code to be injected and stored in comments. This stored XSS can execute in the context of other users viewing the comments, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability requires low attack complexity, low privileges (authenticated user), and user interaction (viewing the comment). The scope is changed as the vulnerability affects other users beyond the attacker. Although no known exploits are reported in the wild, a patch has been committed (commit 3ae02fa240939dbefc5949d64f05790fd25d728d) to restore proper sanitization and re-enable safeMode or equivalent filtering. The CVSS v3.1 score is 5.4, reflecting medium severity with partial impact on confidentiality and integrity but no availability impact.

The primary impact of CVE-2026-33500 is the potential for attackers to execute arbitrary JavaScript in the browsers of users who view maliciously crafted comments on AVideo platforms. This can lead to session hijacking, theft of sensitive information such as authentication tokens, defacement, or redirection to malicious sites. For organizations using AVideo to host or share video content, this undermines user trust and platform integrity. Attackers with low privileges can exploit this vulnerability, increasing the risk of insider threats or abuse by registered users. Although availability is not directly affected, the reputational damage and potential data breaches can have significant operational and compliance consequences. The vulnerability's stored nature means malicious payloads persist until removed or patched, increasing exposure time. Organizations with large user bases or sensitive content are at greater risk of targeted exploitation. The lack of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks once the vulnerability becomes widely known.

Organizations should immediately apply the patch committed by WWBN (commit 3ae02fa240939dbefc5949d64f05790fd25d728d) that restores proper sanitization of markdown links and re-enables safeMode or equivalent URI filtering in Parsedown. Until patched, administrators should consider disabling user comments or restricting comment posting to trusted users only. Implement additional server-side input validation and sanitization for markdown content, specifically filtering out javascript: and other unsafe URI schemes in markdown links. Employ Content Security Policy (CSP) headers to restrict script execution origins and mitigate impact of potential XSS payloads. Monitor logs and user reports for suspicious comment activity or unexpected script execution. Educate users about the risks of clicking untrusted links in comments. Regularly update AVideo and its dependencies to the latest secure versions. Conduct security reviews of custom markdown processing code to ensure no similar bypasses exist. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting markdown syntax.