CVE-2026-33500

// Payload to inject in the comment field using Markdown syntax [Click here to trigger XSS](javascript:alert('CVE-2026-33500'))

{"cve": {"id": "CVE-2026-33500", "sourceIdentifier": "[email protected]", "published": "2026-03-23T17:16:51.340", "lastModified": "2026-03-24T18:11:11.797", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the fix for CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introduced a custom `ParsedownSafeWithLinks` class that sanitizes raw HTML `<a>` and `<img>` tags in comments, but explicitly disables Parsedown's `safeMode`. This creates a bypass: markdown link syntax `[text](javascript:alert(1))` is processed by Parsedown's `inlineLink()` method, which does not go through the custom `sanitizeATag()` sanitization (that only handles raw HTML tags). With `safeMode` disabled, Parsedown's built-in `javascript:` URI filtering (`sanitiseElement()`/`filterUnsafeUrlInAttribute()`) is also inactive. An attacker can inject stored XSS via comment markdown links. Commit 3ae02fa240939dbefc5949d64f05790fd25d728d contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, la corrección para CVE-2026-27568 (GHSA-rcqw-6466-3mv7) introdujo una clase personalizada ParsedownSafeWithLinks que sanitiza las etiquetas HTML sin procesar `<a rel=\"nofollow\">` e `` en los comentarios, pero deshabilita explícitamente el safeMode de Parsedown. Esto crea un bypass: la sintaxis de enlace markdown `[text](javascript:alert(1))` es procesada por el método inlineLink() de Parsedown, que no pasa por la sanitización personalizada sanitizeATag() (que solo maneja etiquetas HTML sin procesar). Con safeMode deshabilitado, el filtrado de URI `javascript:` incorporado de Parsedown (sanitiseElement()/filterUnsafeUrlInAttribute()) también está inactivo. Un atacante puede inyectar XSS almacenado a través de enlaces markdown en comentarios. El commit 3ae02fa240939dbefc5949d64f05790fd25d728d contiene un parche.</a>"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/3ae02fa240939dbefc5949d64f05790fd25d728d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-72h5-39r7-r26j", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}