CVE-2026-39367: WWBN AVideo has Stored XSS via Malicious EPG XML Program Titles in AVideo EPG Page

April 8, 2026

AVideo’s EPG (Electronic Program Guide) feature parses XML from user-controlled URLs and renders programme titles directly into HTML without any sanitization or escaping. A user with upload permission can set a video’s epg_link to a malicious XML file whose <title> elements contain JavaScript. This payload executes in the browser of any unauthenticated visitor to the public EPG page, enabling session hijacking and account takeover.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/e0212add4aad0f1e97758a4b4fdc57df58ce68e8
github.com/WWBN/AVideo/security/advisories/GHSA-rqp3-gf5h-mrqx
github.com/advisories/GHSA-rqp3-gf5h-mrqx
nvd.nist.gov/vuln/detail/CVE-2026-39367

Code Behaviors & Features

Detect and mitigate CVE-2026-39367 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →