PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-50182 WWBN CVE debrief

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:16:54.507Z and has not been modified since then. The AVideo platform, specifically versions prior to 29.0, is vulnerable to an unauthenticated Reflected XSS attack through the YouTubeAPI Gallery Pagination feature. This vulnerability allows for arbitrary JavaScript execution under the AVideo origin, potentially leading to full administrative takeover. Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability and take necessary precautions.

Vendor
WWBN
Product
AVideo
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability, as it allows for arbitrary JavaScript execution under the AVideo origin, potentially leading to full administrative takeover.

Technical summary

The AVideo platform, specifically versions prior to 29.0, is vulnerable to an unauthenticated Reflected XSS attack through the YouTubeAPI Gallery Pagination feature. The vulnerability arises from the concatenation of the $_GET['search'] query parameter directly into the href attribute of pagination links in plugin/YouTubeAPI/gallerySection.php without proper sanitization. An attacker can inject a <script> element, which is then extracted by the AVideo Layout plugin and executed at the bottom of the page. This allows for the execution of arbitrary JavaScript under the AVideo origin, enabling the reading of non-HttpOnly cookies and the issuance of authenticated AJAX requests as the victim. If the victim is an administrator, this can lead to full administrative takeover.

Defensive priority

High priority should be given to updating AVideo to version 29.0 or later. In the meantime, administrators should monitor for suspicious activity and implement compensating controls to mitigate the risk of exploitation.

Recommended defensive actions

  • Update AVideo to version 29.0 or later
  • Implement input validation and sanitization for user-supplied input
  • Monitor for suspicious activity and implement compensating controls
  • Restrict access to the AVideo platform to trusted users and networks
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and vector. The source item URL and references provide additional context and links to the patched commit and advisory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:16:54.507Z and has not been modified since then.