Platform
php
Component
avideo
Fixed in
14.4.1
8.0.1
CVE-2025-50128 describes a cross-site scripting (XSS) vulnerability within the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo. Successful exploitation allows an attacker to execute arbitrary JavaScript code, potentially compromising user accounts and sensitive data. This vulnerability impacts versions 14.4 and the dev master branch. A patch is available in version 14.4.1.
This XSS vulnerability poses a significant risk because it allows attackers to inject malicious scripts into web pages viewed by authenticated users of WWBN AVideo. An attacker could craft a malicious HTTP request, enticing a user to visit a webpage containing the exploit. Upon visiting the page, the injected script would execute in the user's browser, potentially stealing session cookies, redirecting the user to a phishing site, or modifying the content of the page. The impact extends beyond simple defacement; attackers could gain complete control over user accounts and potentially access sensitive data stored within the AVideo system. The severity is heightened by the potential for widespread exploitation if the vulnerability is easily discoverable and exploitable.
CVE-2025-50128 was publicly disclosed on 2025-07-24. The vulnerability is considered critical due to the ease of exploitation and potential impact. No public proof-of-concept (POC) code has been observed at the time of writing, but the XSS nature of the vulnerability suggests that a POC is likely to emerge. The vulnerability has not been added to the CISA KEV catalog as of this date.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-50128 is to immediately upgrade to version 14.4.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious patterns in the videoNotFound 404ErrorMsg parameter. Carefully review and sanitize all user-supplied input before rendering it in HTML. Implement strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload and verifying that the script is not executed.
Update AVideo to a version later than 14.4 or a commit later than 8a8954ff. This will resolve the XSS vulnerability in the videoNotFound 404ErrorMsg parameter. See the Talos Intelligence report for more details.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-50128 is a critical cross-site scripting (XSS) vulnerability in WWBN AVideo versions 14.4 and dev master, allowing attackers to execute malicious scripts.
If you are using WWBN AVideo version 14.4 or the dev master branch, you are potentially affected by this vulnerability.
Upgrade to version 14.4.1 or later to resolve the vulnerability. Implement WAF rules and CSP headers as temporary mitigations.
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation.
Refer to the official WWBN security advisory for detailed information and updates regarding CVE-2025-50128.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.