CVE-2026-33499: AVideo has Reflected XSS via unlockPassword Parameter in forbiddenPage.php and warningPage.php

March 20, 2026

The view/forbiddenPage.php and view/warningPage.php templates reflect the $_REQUEST['unlockPassword'] parameter directly into an HTML <input> tag’s attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the value attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2
github.com/advisories/GHSA-7292-w8qp-mhq2
nvd.nist.gov/vuln/detail/CVE-2026-33499

Code Behaviors & Features

Detect and mitigate CVE-2026-33499 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →