GHSA-rcqw-6466-3mv7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rcqw-6466-3mv7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rcqw-6466-3mv7
- Aliases
- Published
- 2026-02-20T21:15:06Z
- Modified
- 2026-02-24T16:34:57.675522Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- AVideo has Stored Cross-Site Scripting via Markdown Comment Injection
- Details
-
Vulnerability Type
Stored Cross-Site Scripting (XSS) — CWE-79.
Affected Product/Versions
AVideo 18.0.
Root Cause Summary
AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing
javascript:URIs to be rendered as clickable links.Impact Summary
An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.
Resolution/Fix
The issue was confirmed and fixed in the master branch. An official release will be published soon.
Workarounds
Until the release is available, validate and block unsafe URI schemes (e.g.,
javascript:) before rendering Markdown, and enable Parsedown Safe Mode.Credits/Acknowledgement
Reported by Arkadiusz Marta (https://github.com/arkmarta/).
- Database specific
{ "nvd_published_at": "2026-02-24T15:21:38Z", "github_reviewed_at": "2026-02-20T21:15:06Z", "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Packagist / wwbn/avideo
Package
- Name
- wwbn/avideo
- Purl
- pkg:composer/wwbn/avideo
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed21.0