CVE-2026-47694

Description

### Summary AVideo stores category descriptions from user input and later renders `category_description` as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. This is a stored XSS in the category `description` field, separate from previously fixed XSS issues in video titles or comments. ### Details Source: `objects/categoryAddNew.json.php` ```php $objCat->setDescription($_POST['description']); Storage setter: objects/category.php public function setDescription($description) { $this->description = $description; } ``` Sink: `plugin/Gallery/view/mainAreaCategory.php` ``` <div id="categoryDescription<?php echo $duid; ?>" style="display: none;"><?php echo $videos[0]['category_description']; ?></div> ``` The value is rendered without `htmlspecialchars()`, `htmlentities()`, `HTMLPurifier`, or equivalent output encoding. ### PoC Prerequisites: - AVideo current master / v29.0 - User account with permission to create or edit categories - Gallery plugin/view enabled - At least one video assigned to the affected category Steps: 1. Log in as a user who can create or edit categories. 2. Create or edit a category. 3. Set the category description to: ``` <img src=x onerror=alert(document.domain)> ``` 4. Save the category. 5. Assign at least one video to that category. 6. Open the Gallery/category page that renders the category section. 7. The payload is inserted into the page as raw HTML and JavaScript executes. ### Impact An attacker with category edit permission can execute JavaScript in the browser of users or administrators who view the affected Gallery/category page. This can be used to perform actions as the victim, steal same-origin data accessible to JavaScript, or abuse administrative UI actions if an administrator views the malicious category. ### Recommended fix - Sanitize category descriptions on input with the same HTML policy used for video descriptions, or store plain text only. - Encode on output: ```php echo htmlspecialchars($videos[0]['category_description'], ENT_QUOTES, 'UTF-8'); ``` - If limited HTML is intended, run the description through HTMLPurifier before storage or before render. - Add regression tests for category description rendering in Gallery views.

How to fix CVE-2026-47694

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Description

How to fix CVE-2026-47694

Is CVE-2026-47694 being exploited?

Affected packages (1)

CVSS scores

References (3)