CVE-2026-27568

Description

## Vulnerability Type Stored Cross-Site Scripting (XSS) — CWE-79. ## Affected Product/Versions AVideo 18.0. ## Root Cause Summary AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. ## Impact Summary An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. ## Resolution/Fix The issue was confirmed and fixed in the master branch. An official release will be published soon. ## Workarounds Until the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode. ## Credits/Acknowledgement Reported by Arkadiusz Marta (https://github.com/arkmarta/).

Affected packages (1)

• Packagist/wwbn/avideofrom 0, < 21.0

CVSS scores

References (5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-27568
• PATCHhttps://github.com/WWBN/AVideo
• WEBhttps://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7
• WEBhttps://github.com/WWBN/AVideo/releases/tag/21.0
• WEBhttps://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7