CVE-2026-33683 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting WWBN AVideo, an open-source video platform. The flaw exists in versions up to and including 26.0 within the user profile's "about" field. The root cause is a sanitization order-of-operations issue: the function xss_esc() entity-encodes user input before the strip_specific_tags() function attempts to remove dangerous HTML tags. Later, html_entity_decode() is applied on output, which reverses the entity encoding, effectively restoring any malicious HTML or JavaScript code that was intended to be neutralized. This sequence allows a registered user to inject arbitrary JavaScript that executes in the browsers of other users when they visit the attacker's channel page. The vulnerability requires the attacker to be authenticated (registered user) and requires victim user interaction (visiting the malicious profile page). The CVSS v3.1 score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and impacts on confidentiality and integrity but no impact on availability. No known exploits have been reported in the wild as of the publication date. A patch fixing the issue is available in the referenced commit 7cfdc380dae1e56bbb5de581470d9e9957445df0, which presumably corrects the sanitization order and prevents the restoration of malicious code.

This vulnerability allows attackers to execute arbitrary JavaScript in the context of other users' browsers when they visit the attacker's channel page. Potential impacts include theft of session cookies, enabling account takeover, manipulation of displayed content, phishing attacks, and unauthorized actions performed on behalf of victims. Although the vulnerability does not affect system availability, it compromises confidentiality and integrity of user data and interactions. For organizations running WWBN AVideo, especially those with large user bases or sensitive content, this could lead to reputational damage, user trust erosion, and potential regulatory compliance issues related to data protection. The requirement for attacker authentication limits exploitation somewhat but does not eliminate risk, as any registered user can exploit it. The medium severity score reflects these factors. The lack of known exploits in the wild suggests limited current active exploitation but does not preclude future attacks once the vulnerability is publicly known.

1. Apply the official patch from commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 immediately to fix the sanitization logic. 2. Implement additional input validation on the "about" field to restrict or sanitize HTML tags and JavaScript content before storage. 3. Employ a robust output encoding strategy that ensures all user-generated content is properly escaped at rendering time, preventing script execution. 4. Consider implementing Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of any residual XSS. 5. Monitor user profiles for suspicious or unexpected HTML/JavaScript content as part of regular security audits. 6. Educate users about the risks of clicking on unknown or suspicious channel pages. 7. Limit privileges for new or untrusted users to reduce potential attack surface. 8. Regularly update WWBN AVideo installations to the latest versions to benefit from security fixes.