{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-33499",
"tracking": {
"current_release_date": "2026-03-26T00:52:49.189936Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-33499",
"initial_release_date": "2026-03-20T21:40:58.318079Z",
"revision_history": [
{
"date": "2026-03-20T21:40:58.318079Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-20T21:41:00.720614Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-24T03:11:58.036322Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-24T03:12:10.183549Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T07:04:51.136139Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-24T07:04:52.483201Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T10:54:53.455662Z",
"number": "7",
"summary": "Unknown change."
},
{
"date": "2026-03-24T10:55:01.510019Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T20:52:41.221135Z",
"number": "9",
"summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-24T20:52:43.672146Z",
"number": "10",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T21:01:34.655403Z",
"number": "11",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-24T21:37:24.802173Z",
"number": "12",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-25T21:02:03.909781Z",
"number": "13",
"summary": "References created (2)."
},
{
"date": "2026-03-26T00:49:49.428371Z",
"number": "14",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (3).| CWES updated (1)."
}
],
"status": "interim",
"version": "14"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<=26.0",
"product": {
"name": "vers:unknown/<=26.0",
"product_id": "CSAFPID-5893889",
"product_identification_helper": {
"cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "AVideo"
},
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/10.4",
"product": {
"name": "vers:unknown/10.4",
"product_id": "CSAFPID-5656122",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@10.4"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/10.8",
"product": {
"name": "vers:unknown/10.8",
"product_id": "CSAFPID-5656123",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@10.8"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/11",
"product": {
"name": "vers:unknown/11",
"product_id": "CSAFPID-5656124",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@11"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/11.1",
"product": {
"name": "vers:unknown/11.1",
"product_id": "CSAFPID-5656125",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@11.1"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/11.1.1",
"product": {
"name": "vers:unknown/11.1.1",
"product_id": "CSAFPID-5656126",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@11.1.1"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/11.5",
"product": {
"name": "vers:unknown/11.5",
"product_id": "CSAFPID-5656127",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@11.5"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/11.6",
"product": {
"name": "vers:unknown/11.6",
"product_id": "CSAFPID-5656128",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@11.6"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/12.4",
"product": {
"name": "vers:unknown/12.4",
"product_id": "CSAFPID-5656129",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@12.4"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/14.3",
"product": {
"name": "vers:unknown/14.3",
"product_id": "CSAFPID-5656130",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@14.3"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/14.3.1",
"product": {
"name": "vers:unknown/14.3.1",
"product_id": "CSAFPID-5656131",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@14.3.1"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/14.4",
"product": {
"name": "vers:unknown/14.4",
"product_id": "CSAFPID-5656132",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@14.4"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/18.0",
"product": {
"name": "vers:unknown/18.0",
"product_id": "CSAFPID-5656133",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@18.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/21.0",
"product": {
"name": "vers:unknown/21.0",
"product_id": "CSAFPID-5721197",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@21.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/22.0",
"product": {
"name": "vers:unknown/22.0",
"product_id": "CSAFPID-5772271",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@22.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/24.0",
"product": {
"name": "vers:unknown/24.0",
"product_id": "CSAFPID-5772272",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@24.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/25.0",
"product": {
"name": "vers:unknown/25.0",
"product_id": "CSAFPID-5840723",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@25.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/26.0",
"product": {
"name": "vers:unknown/26.0",
"product_id": "CSAFPID-5878928",
"product_identification_helper": {
"purl": "pkg:composer/wwbn/avideo@26.0"
}
}
},
{
"category": "product_version_range",
"name": "vers:unknown/>=0|<=26.0",
"product": {
"name": "vers:unknown/>=0|<=26.0",
"product_id": "CSAFPID-5878929"
}
}
],
"category": "product_name",
"name": "avideo"
}
],
"category": "vendor",
"name": "WWBN"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33499",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
},
"notes": [
{
"category": "description",
"text": "## Summary\n\nThe `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link.\n\n## Details\n\nWhen a user visits a password-protected channel, `view/channel.php:22` calls:\n```php\nforbiddenPage('This channel is password protected', false, $channelPassword);\n```\n\nThe `forbiddenPage()` function in `objects/functionsSecurity.php:520` checks whether the supplied password matches. If it doesn't (or no password was submitted), it includes `view/forbiddenPage.php` at line 561.\n\nIn `view/forbiddenPage.php:31-35`, the raw request parameter is reflected into HTML:\n```php\n$value = '';\nif (!empty($_REQUEST['unlockPassword'])) {\n $value = $_REQUEST['unlockPassword']; // Line 33: unsanitized user input\n}\necho getInputPassword('unlockPassword', 'class=\"form-control\" value=\"' . $value . '\"', __('Unlock Password'));\n```\n\nThe `getInputPassword()` function at `objects/functions.php:4490` outputs the `$attributes` string directly into the `` tag at line 4502:\n```php\n\" name=\"\" type=\"password\" placeholder=\"\" >\n```\n\nThe `unlockPassword` parameter is **not listed** in any of the security filter arrays defined in `objects/security.php:4-8` (`$securityFilter`, `$securityFilterInt`, `$securityRemoveSingleQuotes`, `$securityRemoveNonChars`, `$securityRemoveNonCharsStrict`, `$filterURL`), so it passes through the global input sanitization completely unfiltered.\n\nCommit `3933d4abc` added sanitization only for the server-side password **comparison** in `functionsSecurity.php:529` (`preg_replace('/[^0-9a-z]/i', '', ...)`), but did not address the client-side reflection in the view templates.\n\nThe identical vulnerability exists in `view/warningPage.php:31-34`.\n\n## PoC\n\n**Step 1:** Identify a password-protected channel (or any page that triggers `forbiddenPage()` with an `$unlockPassword`).\n\n**Step 2:** Craft a URL with a malicious `unlockPassword` parameter that breaks out of the `value` attribute:\n\n```\nhttps://target.com/channel/someuser?unlockPassword=\" autofocus onfocus=\"alert(document.cookie)\n```\n\n**Step 3:** The server renders the following HTML:\n\n```html\n\n```\n\nThe `autofocus` attribute causes the browser to immediately focus the input element on page load, triggering the `onfocus` event handler which executes the attacker-controlled JavaScript. No further user interaction is required beyond clicking the link.\n\n**Step 4:** The JavaScript executes in the context of the target domain, with access to cookies (no CSP or HttpOnly protections were observed), DOM, and the ability to make authenticated requests on behalf of the victim.\n\n## Impact\n\n- **Session hijacking**: An attacker can steal `PHPSESSID` cookies and impersonate any user (including administrators) who clicks the crafted link.\n- **Account takeover**: The injected JavaScript can change the victim's email/password by submitting forms to the application's account settings endpoints.\n- **Phishing**: The attacker can overlay fake login forms or redirect users to credential harvesting pages.\n- **No authentication required**: The vulnerable page is specifically shown to unauthenticated/unauthorized users, making the attack surface broad.\n\n## Recommended Fix\n\nApply `htmlspecialchars()` output encoding to the reflected value in both `view/forbiddenPage.php` and `view/warningPage.php`:\n\n**view/forbiddenPage.php** — change line 33:\n```php\n// Before (vulnerable):\n$value = $_REQUEST['unlockPassword'];\n\n// After (fixed):\n$value = htmlspecialchars($_REQUEST['unlockPassword'], ENT_QUOTES, 'UTF-8');\n```\n\n**view/warningPage.php** — change line 32:\n```php\n// Before (vulnerable):\n$value = $_REQUEST['unlockPassword'];\n\n// After (fixed):\n$value = htmlspecialchars($_REQUEST['unlockPassword'], ENT_QUOTES, 'UTF-8');\n```\n\nAlternatively, add `'unlockPassword'` to the `$securityFilter` array in `objects/security.php:4` to apply the global XSS filter, though explicit output encoding at the point of use is the more robust defense-in-depth approach.",
"title": "github - https://api.github.com/advisories/GHSA-7292-w8qp-mhq2"
},
{
"category": "description",
"text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33499.json"
},
{
"category": "description",
"text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33499"
},
{
"category": "description",
"text": "## Summary\n\nThe `view/forbiddenPage.php` and `view/warningPage.php` templates reflect the `$_REQUEST['unlockPassword']` parameter directly into an HTML `` tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the `value` attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link.\n\n## Details\n\nWhen a user visits a password-protected channel, `view/channel.php:22` calls:\n```php\nforbiddenPage('This channel is password protected', false, $channelPassword);\n```\n\nThe `forbiddenPage()` function in `objects/functionsSecurity.php:520` checks whether the supplied password matches. If it doesn't (or no password was submitted), it includes `view/forbiddenPage.php` at line 561.\n\nIn `view/forbiddenPage.php:31-35`, the raw request parameter is reflected into HTML:\n```php\n$value = '';\nif (!empty($_REQUEST['unlockPassword'])) {\n $value = $_REQUEST['unlockPassword']; // Line 33: unsanitized user input\n}\necho getInputPassword('unlockPassword', 'class=\"form-control\" value=\"' . $value . '\"', __('Unlock Password'));\n```\n\nThe `getInputPassword()` function at `objects/functions.php:4490` outputs the `$attributes` string directly into the `` tag at line 4502:\n```php\n\" name=\"\" type=\"password\" placeholder=\"\" >\n```\n\nThe `unlockPassword` parameter is **not listed** in any of the security filter arrays defined in `objects/security.php:4-8` (`$securityFilter`, `$securityFilterInt`, `$securityRemoveSingleQuotes`, `$securityRemoveNonChars`, `$securityRemoveNonCharsStrict`, `$filterURL`), so it passes through the global input sanitization completely unfiltered.\n\nCommit `3933d4abc` added sanitization only for the server-side password **comparison** in `functionsSecurity.php:529` (`preg_replace('/[^0-9a-z]/i', '', ...)`), but did not address the client-side reflection in the view templates.\n\nThe identical vulnerability exists in `view/warningPage.php:31-34`.\n\n## PoC\n\n**Step 1:** Identify a password-protected channel (or any page that triggers `forbiddenPage()` with an `$unlockPassword`).\n\n**Step 2:** Craft a URL with a malicious `unlockPassword` parameter that breaks out of the `value` attribute:\n\n```\nhttps://target.com/channel/someuser?unlockPassword=\" autofocus onfocus=\"alert(document.cookie)\n```\n\n**Step 3:** The server renders the following HTML:\n\n```html\n\n```\n\nThe `autofocus` attribute causes the browser to immediately focus the input element on page load, triggering the `onfocus` event handler which executes the attacker-controlled JavaScript. No further user interaction is required beyond clicking the link.\n\n**Step 4:** The JavaScript executes in the context of the target domain, with access to cookies (no CSP or HttpOnly protections were observed), DOM, and the ability to make authenticated requests on behalf of the victim.\n\n## Impact\n\n- **Session hijacking**: An attacker can steal `PHPSESSID` cookies and impersonate any user (including administrators) who clicks the crafted link.\n- **Account takeover**: The injected JavaScript can change the victim's email/password by submitting forms to the application's account settings endpoints.\n- **Phishing**: The attacker can overlay fake login forms or redirect users to credential harvesting pages.\n- **No authentication required**: The vulnerable page is specifically shown to unauthenticated/unauthorized users, making the attack surface broad.\n\n## Recommended Fix\n\nApply `htmlspecialchars()` output encoding to the reflected value in both `view/forbiddenPage.php` and `view/warningPage.php`:\n\n**view/forbiddenPage.php** — change line 33:\n```php\n// Before (vulnerable):\n$value = $_REQUEST['unlockPassword'];\n\n// After (fixed):\n$value = htmlspecialchars($_REQUEST['unlockPassword'], ENT_QUOTES, 'UTF-8');\n```\n\n**view/warningPage.php** — change line 32:\n```php\n// Before (vulnerable):\n$value = $_REQUEST['unlockPassword'];\n\n// After (fixed):\n$value = htmlspecialchars($_REQUEST['unlockPassword'], ENT_QUOTES, 'UTF-8');\n```\n\nAlternatively, add `'unlockPassword'` to the `$securityFilter` array in `objects/security.php:4` to apply the global XSS filter, though explicit output encoding at the point of use is the more robust defense-in-depth approach.",
"title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-7292-w8qp-mhq2.json?alt=media"
},
{
"category": "other",
"text": "0.0001",
"title": "EPSS"
},
{
"category": "other",
"text": "4.2",
"title": "NCSC Score"
},
{
"category": "other",
"text": "There is product data available from source Cveprojectv5",
"title": "NCSC Score top increasing factors"
},
{
"category": "other",
"text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5893889",
"CSAFPID-5656122",
"CSAFPID-5656123",
"CSAFPID-5656124",
"CSAFPID-5656125",
"CSAFPID-5656126",
"CSAFPID-5656127",
"CSAFPID-5656128",
"CSAFPID-5656129",
"CSAFPID-5656130",
"CSAFPID-5656131",
"CSAFPID-5656132",
"CSAFPID-5656133",
"CSAFPID-5721197",
"CSAFPID-5772271",
"CSAFPID-5772272",
"CSAFPID-5840723",
"CSAFPID-5878928",
"CSAFPID-5878929"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-7292-w8qp-mhq2"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33499.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33499"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - osv",
"url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-7292-w8qp-mhq2.json?alt=media"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv",
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-7292-w8qp-mhq2"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-7292-w8qp-mhq2"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd; osv",
"url": "https://github.com/WWBN/AVideo/commit/f154167251c9cf183ce09cd018d07e9352310457"
},
{
"category": "external",
"summary": "Reference - github; osv",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33499"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"baseScore": 6.1,
"baseSeverity": "MEDIUM"
},
"products": [
"CSAFPID-5656122",
"CSAFPID-5656123",
"CSAFPID-5656124",
"CSAFPID-5656125",
"CSAFPID-5656126",
"CSAFPID-5656127",
"CSAFPID-5656128",
"CSAFPID-5656129",
"CSAFPID-5656130",
"CSAFPID-5656131",
"CSAFPID-5656132",
"CSAFPID-5656133",
"CSAFPID-5721197",
"CSAFPID-5772271",
"CSAFPID-5772272",
"CSAFPID-5840723",
"CSAFPID-5878928",
"CSAFPID-5878929",
"CSAFPID-5893889"
]
}
],
"title": "CVE-2026-33499"
}
]
}