Client-Side Injection Flaws Expose Sessions and Sensitive Data in AVideo and dom-sanitizer
Two newly disclosed web application flaws expose users to client-side data theft through content injection. In AVideo's TopMenu plugin, a stored cross-site scripting issue tracked as GHSA-GMPC-FXG2-VCMQ carries a CVSS 3.1 score of 6.1 and allows attackers to inject JavaScript that can read document.cookie, steal active session tokens, and impersonate users or administrators. Because the TopMenu component is rendered globally across the application, a malicious payload can execute for all site visitors, creating broad exposure and enabling follow-on attacks such as credential harvesting and fake login prompts.
A separate issue in rhukster/dom-sanitizer, tracked as GHSA-93VF-569F-22CQ, allows CSS injection through SVG style tags and is rated 4.7 under CVSS 3.1. The flaw can be exploited remotely without authentication when a victim renders a crafted SVG in a browser, potentially disclosing the victim's IP address, browser details, exact page URL, and sensitive DOM-resident data such as CSRF tokens or partial session identifiers. While the sanitizer flaw does not directly alter server-side state or disrupt availability, both disclosures highlight how server-side handling of untrusted content can be turned into browser-based theft of session and application data.
Timeline
Apr 10, 2026
CSS injection vulnerability disclosed in rhukster/dom-sanitizer
A medium-severity CSS injection issue in PHP package rhukster/dom-sanitizer was publicly disclosed. The flaw, exploitable when a malicious SVG is rendered, could expose client-side data such as IP address, User-Agent, page URL, and potentially sensitive DOM content.
Apr 1, 2026
Stored XSS vulnerability disclosed in AVideo TopMenu plugin
A medium-severity stored cross-site scripting flaw affecting the AVideo TopMenu plugin was publicly reported. The issue could let attackers inject JavaScript that steals session tokens and potentially take over user or administrator accounts across globally rendered pages.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Affected Products
Sources
Related Stories
SSRF in Saloon PHP and Auth Model Leak in AVideo Expose Sensitive Data
Two newly disclosed vulnerabilities expose sensitive information in widely used web application components. **CVE-2026-33182** affects **Saloon PHP** and allows unauthenticated, network-based **server-side request forgery (SSRF)** that can leak API credentials and session tokens, potentially granting attackers access to integrated third-party services and enabling misuse of those external environments. The issue carries a **CVSS 4.0 score of 6.6** and is described as a high-confidentiality-impact flaw, with the host application's local database remaining intact even as connected systems may be exposed. A separate issue, **CVE-2026-33501**, affects the **WWBN AVideo Permissions Plugin** and discloses an application's internal authorization model by revealing mappings between user groups and specific plugins. Although rated lower at **CVSS v3.1 5.3** and not associated with credential or personally identifiable information exposure, the flaw provides valuable reconnaissance that can help attackers identify privileged roles, map the attack surface, and support follow-on privilege escalation attempts against vulnerable authenticated extensions.
1 months ago
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
1 months ago
AVideo Flaws Enable Unauthenticated Takeover and SSRF on Exposed Deployments
WWBN **AVideo** versions `25.0` and earlier were found to contain two high-severity vulnerabilities that can be exploited without authentication. `CVE-2026-33038` allows full application takeover on uninitialized deployments because the exposed `install/checkConfiguration.php` endpoint can accept unauthenticated `POST` data to complete setup, create an administrator account, configure the database, and write the application's configuration file. Systems that have not yet created `videos/configuration.php` are especially at risk, as an attacker can initialize the platform with attacker-controlled credentials and infrastructure, gaining full administrative access. A second flaw, `CVE-2026-33039`, affects the `plugin/LiveLinks/proxy.php` endpoint and enables **server-side request forgery (SSRF)** through an HTTP redirect bypass. AVideo validates only the initial user-supplied URL, but does not re-validate redirect targets fetched by the proxy logic, allowing attackers to reach internal resources such as **RFC1918** addresses and cloud metadata services. Both issues were addressed in **AVideo `26.0`**, with the takeover bug classified as `CWE-306` and the SSRF bug as `CWE-918`.
1 weeks ago