Platform
php
Component
avideo
Fixed in
14.4.1
8.0.1
CVE-2025-46410 describes a cross-site scripting (XSS) vulnerability affecting WWBN AVideo versions 14.4 and the dev master branch. This vulnerability allows an attacker to execute arbitrary JavaScript code within a user's browser by crafting a malicious HTTP request. The vulnerability resides in the managerPlaylists PlaylistOwnerUsersId parameter. A fix is available in version 14.4.1.
Successful exploitation of CVE-2025-46410 allows an attacker to inject malicious scripts into webpages viewed by authenticated users of WWBN AVideo. This can lead to a variety of attacks, including session hijacking, credential theft, and defacement of the application. The attacker could potentially gain complete control over the user's session, allowing them to perform actions on behalf of the user without their knowledge. The blast radius extends to any user who interacts with the vulnerable parameter, making it a significant risk for organizations relying on AVideo for content management.
CVE-2025-46410 was publicly disclosed on 2025-07-24. No public proof-of-concept (POC) code has been observed at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 9.6 indicates a critical severity, suggesting a high potential for exploitation if a suitable POC is developed and widely distributed.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-46410 is to upgrade to WWBN AVideo version 14.4.1 or later, which includes a fix for the vulnerability. If immediate upgrading is not possible, consider implementing input validation and output encoding on the managerPlaylists PlaylistOwnerUsersId parameter to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Thoroughly review and update any existing security policies to address XSS vulnerabilities.
Update AVideo to a version later than the affected version. Consult the vendor's website for the latest version and update instructions. Apply security updates provided by the vendor as soon as possible.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-46410 is a critical Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute JavaScript code.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability. Upgrade to 14.4.1 to mitigate the risk.
Upgrade to WWBN AVideo version 14.4.1 or later. As a temporary measure, implement input validation and output encoding on the vulnerable parameter.
As of the current date, there are no confirmed reports of active exploitation, but the high CVSS score indicates a significant risk.
Please refer to the WWBN security advisories page for the latest information and official guidance regarding CVE-2025-46410.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.