CVE-2026-27568: AVideo has Stored Cross-Site Scripting via Markdown Comment Injection

February 20, 2026 (updated February 24, 2026)

AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing javascript: URIs to be rendered as clickable links.

An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7
github.com/WWBN/AVideo/releases/tag/21.0
github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7
github.com/advisories/GHSA-rcqw-6466-3mv7
nvd.nist.gov/vuln/detail/CVE-2026-27568

Code Behaviors & Features

Detect and mitigate CVE-2026-27568 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →