CVE-2026-33683 is a cross-site scripting vulnerability classified under CWE-79 affecting WWBN AVideo, an open-source video platform. The vulnerability exists in versions up to and including 26.0 due to a sanitization order-of-operations flaw in the processing of the user profile "about" field. Specifically, the platform uses the function xss_esc() to entity-encode user input before applying strip_specific_tags(), which is intended to remove dangerous HTML tags. However, because encoding happens first, strip_specific_tags() cannot effectively detect and remove malicious tags. Later, when the content is output, html_entity_decode() reverses the encoding, restoring the raw malicious HTML and enabling arbitrary JavaScript injection. This flaw allows any registered user to embed scripts that execute in the browsers of other users who visit the attacker's channel page, potentially leading to session hijacking, credential theft, or other malicious actions within the context of the affected site. The vulnerability requires that the attacker be a registered user and that victims visit the malicious profile page, implying user interaction is necessary. The CVSS v3.1 score is 5.4 (medium severity) with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, requiring privileges and user interaction, with limited confidentiality and integrity impact and no availability impact. A patch has been committed (commit 7cfdc380dae1e56bbb5de581470d9e9957445df0) to correct the sanitization order and prevent this exploitation.

This vulnerability can lead to the execution of arbitrary JavaScript in the browsers of users visiting maliciously crafted user profile pages on affected AVideo instances. The impact includes potential theft of session cookies, user credentials, or other sensitive information accessible via the browser context, as well as possible manipulation of the user interface or redirection to malicious sites. For organizations, this can result in compromised user accounts, unauthorized access, and erosion of user trust. Since the vulnerability requires a registered user to inject the payload and user interaction to trigger it, the attack surface is somewhat limited but still significant in environments with many users or public-facing video platforms. The scope is confined to the AVideo platform, but given its open-source nature and use in various deployments worldwide, the risk is non-trivial. No known exploits in the wild reduce immediate risk, but the presence of a public patch means attackers could develop exploits if systems remain unpatched.

Organizations should immediately update AVideo installations to versions beyond 26.0 that include the patch correcting the sanitization order-of-operations flaw. If immediate patching is not possible, administrators should consider disabling or restricting the "about" field input or limiting profile editing privileges to trusted users. Implement additional server-side input validation to reject or sanitize HTML and script content robustly before storage. Employ Content Security Policy (CSP) headers to restrict script execution origins and reduce the impact of potential XSS attacks. Regularly audit user-generated content for suspicious scripts and monitor logs for unusual activity. Educate users about the risks of interacting with untrusted profiles. Finally, maintain an incident response plan to quickly address any exploitation attempts.