Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
25.0.1
CVE-2026-33035 describes a reflected Cross-Site Scripting (XSS) vulnerability found in wwbn/avideo. This flaw allows unauthenticated attackers to inject malicious JavaScript code into a victim's browser, potentially leading to account compromise or data theft. The vulnerability affects versions of avideo up to and including 25.0. A patch is available in version 26.0.
An attacker can exploit this XSS vulnerability by crafting a malicious URL containing a specially crafted 404ErrorMsg parameter. When a user clicks this link, the injected JavaScript code will execute within their browser context. This can allow the attacker to steal session cookies, redirect the user to a phishing site, or deface the web page. The blast radius extends to any user who clicks the malicious link, potentially impacting a wide range of users depending on the application's popularity and user base. Successful exploitation could also be used to perform actions on behalf of the victim user, such as modifying data or accessing sensitive information, depending on the user's privileges within the application. This vulnerability shares similarities with other reflected XSS vulnerabilities where user input is directly incorporated into the output without proper sanitization.
CVE-2026-33035 was published on March 17, 2026. The vulnerability's severity is pending evaluation. No public Proof-of-Concept (POC) code has been publicly released at the time of writing, but the nature of reflected XSS vulnerabilities makes it likely that a POC will emerge. It is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33035 is to upgrade to version 26.0 of wwbn/avideo, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Input validation on the 404ErrorMsg parameter in view/videoNotFound.php is crucial. Strictly limit the allowed characters and length of the parameter. Employ a Web Application Firewall (WAF) with rules to detect and block malicious JavaScript injection attempts targeting the 404ErrorMsg parameter. Consider using a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, limiting the impact of a successful XSS attack. After upgrading to version 26.0, confirm the fix by attempting to inject a simple JavaScript payload via the 404ErrorMsg parameter and verifying that it is not executed.
Update AVideo to version 26.0 or higher. This version contains the fix for the XSS vulnerability. It is recommended to back up before updating.
Vulnerability analysis and critical alerts directly to your inbox.
It's a reflected XSS vulnerability in wwbn/avideo versions up to 25.0, allowing attackers to execute JavaScript in a user's browser via a malicious URL.
If you are using wwbn/avideo version 25.0 or earlier, you are potentially affected by this vulnerability. Upgrade to version 26.0.
The recommended fix is to upgrade to version 26.0 of wwbn/avideo. Temporary workarounds include input validation and WAF rules.
No public exploitation is currently known, but the vulnerability's nature makes it a potential target. Monitor security advisories.
Refer to the official wwbn security advisories and the NVD entry for CVE-2026-33035 for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.