PatchSiren cyber security CVE debrief
CVE-2026-50182 WWBN CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:16:54.507Z and has not been modified since then. The AVideo platform, specifically versions prior to 29.0, is vulnerable to an unauthenticated Reflected XSS attack through the YouTubeAPI Gallery Pagination feature. This vulnerability allows for arbitrary JavaScript execution under the AVideo origin, potentially leading to full administrative takeover. Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability and take necessary precautions.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability, as it allows for arbitrary JavaScript execution under the AVideo origin, potentially leading to full administrative takeover.
Technical summary
The AVideo platform, specifically versions prior to 29.0, is vulnerable to an unauthenticated Reflected XSS attack through the YouTubeAPI Gallery Pagination feature. The vulnerability arises from the concatenation of the $_GET['search'] query parameter directly into the href attribute of pagination links in plugin/YouTubeAPI/gallerySection.php without proper sanitization. An attacker can inject a <script> element, which is then extracted by the AVideo Layout plugin and executed at the bottom of the page. This allows for the execution of arbitrary JavaScript under the AVideo origin, enabling the reading of non-HttpOnly cookies and the issuance of authenticated AJAX requests as the victim. If the victim is an administrator, this can lead to full administrative takeover.
Defensive priority
High priority should be given to updating AVideo to version 29.0 or later. In the meantime, administrators should monitor for suspicious activity and implement compensating controls to mitigate the risk of exploitation.
Recommended defensive actions
- Update AVideo to version 29.0 or later
- Implement input validation and sanitization for user-supplied input
- Monitor for suspicious activity and implement compensating controls
- Restrict access to the AVideo platform to trusted users and networks
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, including its CVSS score and vector. The source item URL and references provide additional context and links to the patched commit and advisory.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:16:54.507Z and has not been modified since then.