PatchSiren cyber security CVE debrief
CVE-2026-47694 WWBN CVE debrief
A stored cross-site scripting (XSS) vulnerability exists in WWBN AVideo versions 29.0 and earlier. The application stores category descriptions from user input and renders them as raw HTML in the Gallery view without proper sanitization. An authenticated user with permissions to create or edit categories can inject JavaScript payloads into category descriptions. When other users view the affected Gallery or category pages, the injected JavaScript executes in their browser context. This vulnerability is distinct from previously addressed XSS issues in video titles or comments. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, and changed scope with low impacts to confidentiality and integrity.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-30
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-30
Who should care
Organizations running WWBN AVideo 29.0 or earlier for video content management; security teams responsible for web application security in media platforms; administrators managing user-generated content categories; developers maintaining AVideo deployments or forks
Technical summary
The vulnerability stems from insufficient output encoding when rendering category_description values in AVideo's Gallery view. User-supplied category descriptions are stored in the database and later emitted directly as HTML without sanitization or context-appropriate encoding. This allows injection of arbitrary JavaScript that executes when the category is displayed. The attack requires authenticated access with category management privileges, but affects all users viewing the compromised category pages. The vulnerability is classified under CWE-79 and carries a CVSS 3.1 base score of 5.4 (Medium severity).
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided security updates for WWBN AVideo when available, prioritizing versions after 29.0
- Review and restrict category creation/editing permissions to trusted administrative users only
- Implement Content Security Policy (CSP) headers to mitigate impact of potential XSS payloads
- Deploy Web Application Firewall (WAF) rules to detect and block common XSS patterns in category description fields
- Audit existing category descriptions for suspicious HTML or JavaScript content
- Enable output encoding and HTML sanitization for category_description fields in Gallery view rendering
- Monitor application logs for anomalous category modifications or unexpected script execution patterns
Evidence notes
Official CVE record published 2026-05-29T14:16:31.997Z. NVD status: Undergoing Analysis. GitHub Security Advisory GHSA-c8h8-vq34-9fw2 identified as primary reference. CWE-79 (Improper Neutralization of Input During Web Page Generation) classified as weakness type.
Official resources
-
CVE-2026-47694 CVE record
CVE.org
-
CVE-2026-47694 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29