CVE-2026-33499: Reflected Cross-Site Scripting in WWBN AVideo Password Forms

WWBN AVideo, an open-source video platform, utilizes password-protected channels and videos to restrict content access. When a user attempts to access restricted content without prior authorization, the application serves an interstitial page requesting a password. This functionality is handled primarily by the view/forbiddenPage.php and view/warningPage.php template files.

A security vulnerability exists within the handling of the unlockPassword HTTP request parameter during the rendering of these templates. The application directly extracts the value from the $_REQUEST['unlockPassword'] superglobal and reflects it into the HTML output. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation.

Because the application omits necessary output encoding mechanisms, an attacker can supply crafted HTML attributes or script tags within the unlockPassword parameter. When a victim loads the resulting URL, the application renders the attacker's payload as part of the page's Document Object Model (DOM), leading to arbitrary JavaScript execution in the context of the vulnerable origin.

The root cause of CVE-2026-33499 is the direct concatenation of untrusted user input into an HTML element attribute without prior sanitization. The vulnerability initiates in the view/forbiddenPage.php template. The script checks for the presence of the unlockPassword parameter within the $_REQUEST array. If present, it assigns the raw, unvalidated input to the local variable $value.

The application subsequently passes this $value variable as an argument to the getInputPassword() helper function, appending it to a string of HTML attributes. Specifically, the concatenation occurs as class="form-control" value="' . $value . '". The helper function, defined in objects/functions.php, receives these attributes and echoes them directly inside an HTML <input> tag.

The lack of output encoding at the point of reflection allows an attacker to break out of the intended attribute context. By prefixing their payload with a double-quote ("), the attacker terminates the value attribute early. The browser then interprets subsequent characters as new HTML attributes belonging to the <input> element, enabling the injection of event handlers like onfocus or onmouseover.

Analyzing the source code reveals the precise data flow from the request superglobal to the final HTML render. In the vulnerable version of view/forbiddenPage.php, the logic explicitly extracts the parameter and builds the attribute string:

$value = '';
if (!empty($_REQUEST['unlockPassword'])) {
    $value = $_REQUEST['unlockPassword'];  // Flaw: No sanitization
}
echo getInputPassword('unlockPassword', 'class="form-control" value="' . $value . '"', __('Unlock Password'));

The getInputPassword() function then injects the $attributes string unmodified into the DOM:

function getInputPassword($id, $attributes = '', $placeholder = '') {
    // ...
    ?>
    <input id="<?php echo $id; ?>" name="<?php echo $id; ?>" type="password" placeholder="<?php echo $placeholder; ?>" <?php echo $attributes; ?>>
    <?php
}

The vendor remediation, applied in commit f154167251c9cf183ce09cd018d07e9352310457, introduces the standard PHP htmlspecialchars() function to encode the input before assignment.

// Patched Code block in view/forbiddenPage.php
if (!empty($_REQUEST['unlockPassword'])) {
    $value = htmlspecialchars($_REQUEST['unlockPassword'], ENT_QUOTES, 'UTF-8');
}

The utilization of ENT_QUOTES is the critical component of this fix. It ensures that both single and double quotes are converted to their corresponding HTML entities (e.g., "). This prevents the attacker from terminating the value="..." attribute, forcing the browser to treat the entire payload strictly as the text value of the input field.

Exploiting this vulnerability requires an attacker to construct a targeted URL and deliver it to a victim. The attacker identifies a password-protected channel or video URL on the target AVideo instance. They then append the unlockPassword parameter containing the exploit payload to the query string.

The most reliable exploitation technique utilizes the autofocus and onfocus HTML attributes. By injecting " autofocus onfocus="alert(document.cookie), the attacker ensures immediate payload execution. The complete PoC URL takes the following form:

https://[Target]/channel/[User]?unlockPassword=" autofocus onfocus="alert(document.cookie)

When the victim's browser receives the HTTP response, it parses the manipulated <input> tag. The injected autofocus attribute commands the browser to automatically place the cursor inside the input field upon page load. This automatic focus event instantly triggers the injected onfocus event handler, executing the associated JavaScript without requiring the victim to click or type anything on the page itself.

Successful exploitation of this reflected XSS vulnerability grants the attacker the ability to execute arbitrary JavaScript within the security context of the victim's session on the AVideo platform. This violates the Same-Origin Policy (SOP) restrictions that normally protect cross-site data interactions. The primary and most immediate impact is session hijacking.

By executing a payload that reads document.cookie, an attacker can exfiltrate the victim's PHPSESSID token to an external server under their control. If the victim holds administrative privileges, the attacker can use the stolen session token to authenticate to the application as an administrator, granting them full control over the platform's configuration, users, and content.

Beyond session theft, the vulnerability facilitates forced actions and phishing. The injected script can issue asynchronous HTTP requests (via fetch or XMLHttpRequest) to perform state-changing operations on behalf of the user, such as modifying account credentials or altering platform settings. The CVSS v3.1 score of 6.1 accurately reflects this impact profile, highlighting the requirement for user interaction (UI:R) and the changed security scope (S:C) inherent to reflected XSS.

The definitive remediation for CVE-2026-33499 is to update WWBN AVideo installations to a version encompassing commit f154167251c9cf183ce09cd018d07e9352310457. System administrators must ensure that the patched code correctly implements htmlspecialchars() with the ENT_QUOTES flag applied to the unlockPassword parameter in both view/forbiddenPage.php and view/warningPage.php.

Organizations unable to deploy the patch immediately can implement mitigation controls via a Web Application Firewall (WAF). WAF rules should be configured to inspect the unlockPassword parameter for structural HTML characters, specifically double quotes ("), or common JavaScript event handlers like onfocus, onmouseover, or onload. Dropping requests that match these signatures will successfully disrupt the attack vector.

Detection of historical exploitation attempts requires analysis of web server access logs. Security analysts should query HTTP GET requests targeting /channel/ or video paths containing the unlockPassword query parameter. Analysts should flag any requests where the parameter value includes URL-encoded double quotes (%22) followed by spaces and subsequent attribute declarations.