CVE-2026-47694: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
WWBN AVideo versions 29. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the category description field. This occurs because category descriptions are stored from user input and rendered as raw HTML in the Gallery view without proper neutralization. A user with permission to create or edit categories can inject JavaScript code that executes when other users view the affected category page. This vulnerability is distinct from previously fixed XSS issues in video titles or comments. The CVSS score is 5. 4, indicating a medium severity level.
AI Analysis
Technical Summary
CVE-2026-47694 is a stored cross-site scripting vulnerability in WWBN AVideo (versions 29.0 and earlier). The issue arises from improper neutralization of user input in the category description field, which is rendered as raw HTML in the Gallery view. An attacker with privileges to create or edit categories can inject malicious JavaScript that executes in the browsers of users who view the affected category page. This vulnerability is separate from earlier XSS vulnerabilities fixed in other parts of the application such as video titles or comments.
Potential Impact
Successful exploitation allows an attacker with category creation or editing privileges to execute arbitrary JavaScript in the context of other users viewing the Gallery/category page. This can lead to information disclosure or session hijacking limited to users who visit the affected page. The vulnerability does not impact availability and requires user interaction (viewing the page).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict category creation and editing permissions to trusted users only to reduce risk. Monitor vendor communications for updates regarding an official fix.
CVE-2026-47694: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and earlier contain a stored cross-site scripting (XSS) vulnerability in the category description field. This occurs because category descriptions are stored from user input and rendered as raw HTML in the Gallery view without proper neutralization. A user with permission to create or edit categories can inject JavaScript code that executes when other users view the affected category page. This vulnerability is distinct from previously fixed XSS issues in video titles or comments. The CVSS score is 5. 4, indicating a medium severity level.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47694 is a stored cross-site scripting vulnerability in WWBN AVideo (versions 29.0 and earlier). The issue arises from improper neutralization of user input in the category description field, which is rendered as raw HTML in the Gallery view. An attacker with privileges to create or edit categories can inject malicious JavaScript that executes in the browsers of users who view the affected category page. This vulnerability is separate from earlier XSS vulnerabilities fixed in other parts of the application such as video titles or comments.
Potential Impact
Successful exploitation allows an attacker with category creation or editing privileges to execute arbitrary JavaScript in the context of other users viewing the Gallery/category page. This can lead to information disclosure or session hijacking limited to users who visit the affected page. The vulnerability does not impact availability and requires user interaction (viewing the page).
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict category creation and editing permissions to trusted users only to reduce risk. Monitor vendor communications for updates regarding an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-19T21:18:20.403Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a199940e29bf47b50eaf836
Added to database: 5/29/2026, 1:48:48 PM
Last enriched: 5/29/2026, 2:04:56 PM
Last updated: 5/29/2026, 4:48:52 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.