CVE-2026-50182

MEDIUMPre-NVD 6.16.1
EchelonGraph scoreLOW confidence

Score 6.1 from GitHub Security Advisory published 2026-06-04. the CNA's CVSS baseline 6.1; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:github_m, epss, ghsa
6.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Summary

A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim follows a crafted URL. The $_GET['search'] query parameter is concatenated directly into the href attribute of two pagination links in plugin/YouTubeAPI/gallerySection.php (lines 67 and 74) with no htmlspecialchars, no urlencode, and no allow-list check. An injected ` element is then extracted by the AVideo Layout plugin and concatenated into a single trailing inline script block at the bottom of the page, where the browser executes it.

Details

plugin/YouTubeAPI/gallerySection.php renders the YouTubeAPI plugin's gallery section on the AVideo homepage (and every page that includes plugin/Gallery/view/mainArea.php) when the API plugin is enabled with showGallerySection=true (the default). The pagination block at lines 67 and 74 builds the previous-page and next-page elements by string-interpolating $_GET['search'] directly:

// plugin/YouTubeAPI/gallerySection.php:67
prevPageToken}&search=".(@$_GET['search']); ?>" ...>

// plugin/YouTubeAPI/gallerySection.php:74 nextPageToken}&search=".(@$_GET['search']); ?>" ...>

The @ operator only suppresses an undefined-index warning; it does not sanitize the value. A payload like ">alert(1337) closes the href attribute, closes the element, and injects a fresh tag.

Two preconditions gate the sink. First, the YouTube API call must return a pagination token (always true for any non-trivial result set, since the mock or real YouTube response carries nextPageToken for multi-page queries). Second, plugin/Gallery/view/mainArea.php line 53 wraps the gallery render in if (!empty($video)) { echo AVideoPlugin::getGallerySection(); } else { /* output captured and discarded */ }. When $_GET['search'] is set, Video::getVideo() adds a MySQL fulltext MATCH(v.title) AGAINST () IN NATURAL LANGUAGE MODE clause; the payload tokenizes to words like script, alert, 1337, and the gate passes whenever any video in the corpus has a title containing one of those words. Realistic deployments overwhelmingly satisfy this; the attacker can also seed the payload with a common word (?search=video">...) to guarantee a fulltext hit.

The AVideo Layout plugin (plugin/Layout/Layout.php:611, enabled by default) runs Layout::organizeHTML() over the final HTML, extracts every inline ]*>(.*) block via regex, and concatenates their inner contents into one trailing block placed immediately before . The injected alert(1337) is therefore moved out of the original href context and into a clean executable script block; the visible pagination markup retains only the leftover &search="> bytes.

Affected product: AVideo (WWBN), API + YouTubeAPI + Layout plugins Tested version: master branch, commit 122b184 (snapshot dated 2026-05-22)

PoC

The AVideo deployment must have the YouTubeAPI plugin enabled with the default showGallerySection=true. The payload also needs to satisfy the fulltext MATCH(v.title) AGAINST gate that Video::getVideo() adds when $_GET['search'] is set: at least one video in the corpus must have a title containing one of the payload's tokens. In the live confirmation a video titled Tutorial about script error alerts satisfied the gate via the words script and alert. Seeding the payload with the common word video guarantees a hit on any realistic AVideo deployment, since video appears in nearly every video title.

Open the following URL in any browser. No authentication, no session cookie, no prior interaction with the site is required:

https://avideo.example/?search=video%22%3E%3Cscript%3Ealert(1337)%3C%2Fscript%3E&page=2

The browser fires an alert(1337) modal dialog as soon as the homepage finishes rendering. The injected is no longer inside the href markup at render time; it lives inside the page's single trailing inline script block, surfaced there by the Layout plugin's HTML reorganization.

Impact

This is a Reflected XSS vulnerability (CWE-79) on the AVideo public homepage. Any unauthenticated remote attacker who induces a victim to follow a crafted URL executes arbitrary JavaScript in the victim's browser session under the AVideo origin, reading non-HttpOnly` cookies and issuing authenticated AJAX requests as the victim. When the victim is an AVideo administrator, the injected JavaScript performs any admin action (create user, promote to admin, change configuration, install plugin) that uses cookie-based authentication without an additional CSRF token, escalating a single click on a crafted link into full administrative takeover.

CVSS v3
6.1
EG Score
6.1(low)
EPSS
26.4%
KEV
Not listed

Published

June 4, 2026

Last Modified

June 4, 2026

Vendor Advisories for CVE-2026-50182(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Patch Availability(1)

Vendor / EcosystemFixed in / PatchReleasedSource
composerWWBN/AVideoghsa

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(1 across 1 ecosystem)
Packagist(1)
PackageVulnerable rangeFixed inDependents
WWBN/AVideo

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 6× in last 7d / 49× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-08 09:36 UTCEG score recompute
  2. 2026-07-08 09:36 UTCGHSA enrichment
  3. 2026-07-06 02:50 UTCEG score recompute
  4. 2026-07-06 02:49 UTCGHSA enrichment
  5. 2026-07-03 02:13 UTCEG score recompute
  6. 2026-07-03 02:12 UTCGHSA enrichment
  7. 2026-07-01 23:46 UTCEG score recompute
  8. 2026-07-01 23:45 UTCGHSA enrichment
  9. 2026-06-30 21:56 UTCEG score recompute
  10. 2026-06-30 21:56 UTCGHSA enrichment
  11. 2026-06-29 20:11 UTCEG score recompute
  12. 2026-06-29 20:11 UTCGHSA enrichment
  13. 2026-06-28 18:26 UTCEG score recompute
  14. 2026-06-28 18:26 UTCGHSA enrichment
  15. 2026-06-27 16:41 UTCEG score recompute
  16. 2026-06-27 16:41 UTCGHSA enrichment
  17. 2026-06-26 14:55 UTCEG score recompute
  18. 2026-06-26 14:55 UTCGHSA enrichment
  19. 2026-06-25 10:48 UTCEG score recompute
  20. 2026-06-25 10:48 UTCGHSA enrichment
  21. 2026-06-24 09:00 UTCEG score recompute
  22. 2026-06-24 08:59 UTCGHSA enrichment
  23. 2026-06-23 01:55 UTCEG score recompute
  24. 2026-06-23 01:55 UTCGHSA enrichment
  25. 2026-06-19 23:49 UTCEG score recompute
Show 32 more
  1. 2026-06-19 23:49 UTCGHSA enrichment
  2. 2026-06-18 21:21 UTCEG score recompute
  3. 2026-06-18 21:21 UTCGHSA enrichment
  4. 2026-06-17 17:24 UTCEG score recompute
  5. 2026-06-17 17:24 UTCGHSA enrichment
  6. 2026-06-16 14:24 UTCEG score recompute
  7. 2026-06-16 14:24 UTCGHSA enrichment
  8. 2026-06-15 12:39 UTCEG score recompute
  9. 2026-06-15 12:39 UTCGHSA enrichment
  10. 2026-06-14 23:18 UTCEPSS rescore
  11. 2026-06-14 10:54 UTCEG score recompute
  12. 2026-06-14 10:54 UTCGHSA enrichment
  13. 2026-06-13 23:00 UTCEPSS rescore
  14. 2026-06-13 09:10 UTCEG score recompute
  15. 2026-06-13 09:10 UTCGHSA enrichment
  16. 2026-06-12 23:12 UTCEPSS rescore
  17. 2026-06-12 07:24 UTCEG score recompute
  18. 2026-06-12 07:24 UTCGHSA enrichment
  19. 2026-06-11 05:39 UTCEG score recompute
  20. 2026-06-11 05:39 UTCGHSA enrichment
  21. 2026-06-10 03:54 UTCEG score recompute
  22. 2026-06-10 03:54 UTCGHSA enrichment
  23. 2026-06-09 02:10 UTCEG score recompute
  24. 2026-06-09 02:10 UTCGHSA enrichment
  25. 2026-06-08 00:24 UTCEG score recompute
  26. 2026-06-08 00:24 UTCGHSA enrichment
  27. 2026-06-06 22:40 UTCEG score recompute
  28. 2026-06-06 22:40 UTCGHSA enrichment
  29. 2026-06-05 20:55 UTCEG score recompute
  30. 2026-06-05 20:55 UTCGHSA enrichment
  31. 2026-06-04 19:10 UTCEG score recompute
  32. 2026-06-04 19:10 UTCGHSA enrichment

Frequently asked(5)

What is CVE-2026-50182?
CVE-2026-50182 is a medium vulnerability published on June 4, 2026. WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability (CWE-79) in the AVideo YouTubeAPI plugin allows any…
When was CVE-2026-50182 disclosed?
CVE-2026-50182 was first published in the National Vulnerability Database on June 4, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-50182 actively exploited?
CVE-2026-50182 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 26.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-50182?
CVE-2026-50182 has a CVSS v4.0 base score of 6.1 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-50182?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-50182, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-50182

Explore →

Is Your Infrastructure Affected by CVE-2026-50182?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.