Vulnerability Description
WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links. An authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration. Version 21.0 contains a fix. As a workaround, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | < 21.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7Patch
- https://github.com/WWBN/AVideo/releases/tag/21.0Release Notes
- https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7Vendor Advisory
FAQ
What is CVE-2026-27568?
CVE-2026-27568 is a vulnerability with a CVSS score of 6.1 (MEDIUM). WWBN AVideo is an open source video platform. Prior to version 21.0, AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently...
How severe is CVE-2026-27568?
CVE-2026-27568 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27568?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.