CVE-2026-41061: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
CVE-2026-41061 is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo versions 29. 0 and below. The issue arises from an improper regex validation in the isValidDuration() function, which allows arbitrary HTML/JavaScript to be appended to a valid duration string. This crafted input is stored in the database and later rendered without proper HTML escaping on various pages, including trending, playlist, and video gallery thumbnails. A fix for this vulnerability is included in commit bcba324644df8b4ed1f891462455f1cd26822a45.
AI Analysis
Technical Summary
WWBN AVideo versions 29.0 and earlier contain a stored XSS vulnerability due to improper input validation in the isValidDuration() regex at objects/video.php:918. The regex lacks an end anchor, allowing attackers to append malicious HTML/JavaScript after a valid duration prefix. This crafted duration value is stored in the database and output without HTML escaping via echo Video::getCleanDuration() on multiple user-facing pages, enabling stored cross-site scripting attacks. The vulnerability is tracked as CWE-79 and has a CVSS 3.1 base score of 5.4 (medium severity). A code commit (bcba324644df8b4ed1f891462455f1cd26822a45) contains the fix.
Potential Impact
Successful exploitation allows an attacker with low privileges and user interaction to inject and execute arbitrary JavaScript in the context of affected WWBN AVideo web pages. This can lead to partial confidentiality and integrity loss of user data as indicated by the CVSS vector (C:L/I:L). There is no impact on availability. The vulnerability affects stored data, making it persistent across sessions and visible to other users viewing the affected pages.
Mitigation Recommendations
A fix is available as indicated by the referenced commit bcba324644df8b4ed1f891462455f1cd26822a45. Users of WWBN AVideo version 29.0 and below should upgrade to a version that includes this fix. Since this is not a cloud service, remediation requires applying the patch or updating the software. Patch status is not explicitly confirmed in the advisory, so users should verify the fix in the vendor's repository or official releases.
CVE-2026-41061: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
CVE-2026-41061 is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo versions 29. 0 and below. The issue arises from an improper regex validation in the isValidDuration() function, which allows arbitrary HTML/JavaScript to be appended to a valid duration string. This crafted input is stored in the database and later rendered without proper HTML escaping on various pages, including trending, playlist, and video gallery thumbnails. A fix for this vulnerability is included in commit bcba324644df8b4ed1f891462455f1cd26822a45.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 29.0 and earlier contain a stored XSS vulnerability due to improper input validation in the isValidDuration() regex at objects/video.php:918. The regex lacks an end anchor, allowing attackers to append malicious HTML/JavaScript after a valid duration prefix. This crafted duration value is stored in the database and output without HTML escaping via echo Video::getCleanDuration() on multiple user-facing pages, enabling stored cross-site scripting attacks. The vulnerability is tracked as CWE-79 and has a CVSS 3.1 base score of 5.4 (medium severity). A code commit (bcba324644df8b4ed1f891462455f1cd26822a45) contains the fix.
Potential Impact
Successful exploitation allows an attacker with low privileges and user interaction to inject and execute arbitrary JavaScript in the context of affected WWBN AVideo web pages. This can lead to partial confidentiality and integrity loss of user data as indicated by the CVSS vector (C:L/I:L). There is no impact on availability. The vulnerability affects stored data, making it persistent across sessions and visible to other users viewing the affected pages.
Mitigation Recommendations
A fix is available as indicated by the referenced commit bcba324644df8b4ed1f891462455f1cd26822a45. Users of WWBN AVideo version 29.0 and below should upgrade to a version that includes this fix. Since this is not a cloud service, remediation requires applying the patch or updating the software. Patch status is not explicitly confirmed in the advisory, so users should verify the fix in the vendor's repository or official releases.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-16T16:43:03.173Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8053519fe3cd2cd03692f
Added to database: 4/21/2026, 11:16:05 PM
Last enriched: 4/21/2026, 11:31:17 PM
Last updated: 4/22/2026, 1:39:02 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.