WWBN AVideo, an open-source video platform, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2026-33500 affecting versions up to and including 26.0. The vulnerability stems from the way the platform processes user comments containing markdown links. Previously, a fix for CVE-2026-27568 introduced a custom class, ParsedownSafeWithLinks, designed to sanitize raw HTML <a> and <img> tags in comments. However, this fix explicitly disables Parsedown's safeMode, which normally filters out unsafe URLs such as those starting with 'javascript:'. As a result, markdown link syntax like [text](javascript:alert(1)) bypasses the custom sanitization because the markdown parser's inlineLink() method processes it without invoking the sanitizeATag() method. With safeMode disabled, the built-in filtering for unsafe URLs is inactive, allowing an attacker to inject malicious JavaScript payloads that get stored in comments and executed in the context of other users viewing the page. This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS 3.1 base score is 5.4, indicating medium severity, with an attack vector of network, low attack complexity, requiring low privileges and user interaction, and impacting confidentiality and integrity with a scope change. Although no known exploits are reported in the wild, a patch has been committed (commit 3ae02fa240939dbefc5949d64f05790fd25d728d) to address this issue by restoring proper sanitization and safeMode functionality.

The primary impact of this vulnerability is the potential for stored cross-site scripting attacks, which can lead to the execution of arbitrary JavaScript in the browsers of users who view the maliciously crafted comments. This can result in the theft of session tokens, user credentials, or other sensitive information, as well as unauthorized actions performed on behalf of the victim user, thereby compromising confidentiality and integrity. Although the vulnerability does not directly affect system availability, the exploitation could facilitate further attacks such as privilege escalation or phishing campaigns. Organizations running affected versions of WWBN AVideo risk reputational damage, user trust erosion, and potential regulatory consequences if user data is compromised. Since the attack requires low privileges and user interaction, it is relatively easy for attackers to exploit, especially in public or community-driven video platforms where user comments are common.

To mitigate this vulnerability, organizations should promptly apply the official patch referenced by commit 3ae02fa240939dbefc5949d64f05790fd25d728d that restores proper sanitization and re-enables safeMode in the Parsedown markdown parser. Until the patch is applied, administrators should consider disabling or restricting user comments to trusted users only or implementing additional server-side sanitization layers that properly filter out javascript: URIs in markdown links. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Regularly auditing and testing user input handling, especially in markdown or rich text fields, is recommended to detect similar issues early. Monitoring logs for suspicious comment content and educating users about the risks of clicking untrusted links can further reduce exploitation likelihood.