Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `inlineLink()` or `inlineUrlTag()`, allowing `javascript:` URLs in markdown link syntax to bypass sanitization. Commit cae8f0dadbdd962c89b91d0095c76edb8aadcacf contains an updated fix.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 29.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728dPatch
- https://github.com/WWBN/AVideo/commit/cae8f0dadbdd962c89b91d0095c76edb8aadcacfPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26jExploitMitigationVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hcExploitMitigationVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-m7r8-6q9j-m2hcExploitMitigationVendor Advisory
FAQ
What is CVE-2026-41063?
CVE-2026-41063 is a vulnerability with a CVSS score of 5.4 (MEDIUM). WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSafeWithLinks` class overrides `inlineMarkup` for raw HTML but does not override `...
How severe is CVE-2026-41063?
CVE-2026-41063 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41063?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.