Client-Side Injection Flaws Expose Sessions and Sensitive Data in AVideo and dom-sanitizer
Two newly disclosed web application flaws expose users to client-side data theft through content injection. In AVideo's TopMenu plugin, a stored cross-site scripting issue tracked as GHSA-GMPC-FXG2-VCMQ carries a CVSS 3.1 score of 6.1 and allows attackers to inject JavaScript that can read document.cookie, steal active session tokens, and impersonate users or administrators. Because the TopMenu component is rendered globally across the application, a malicious payload can execute for all site visitors, creating broad exposure and enabling follow-on attacks such as credential harvesting and fake login prompts.
A separate issue in rhukster/dom-sanitizer, tracked as GHSA-93VF-569F-22CQ, allows CSS injection through SVG style tags and is rated 4.7 under CVSS 3.1. The flaw can be exploited remotely without authentication when a victim renders a crafted SVG in a browser, potentially disclosing the victim's IP address, browser details, exact page URL, and sensitive DOM-resident data such as CSRF tokens or partial session identifiers. While the sanitizer flaw does not directly alter server-side state or disrupt availability, both disclosures highlight how server-side handling of untrusted content can be turned into browser-based theft of session and application data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CSS injection vulnerability disclosed in rhukster/dom-sanitizer
A medium-severity CSS injection issue in PHP package rhukster/dom-sanitizer was publicly disclosed. The flaw, exploitable when a malicious SVG is rendered, could expose client-side data such as IP address, User-Agent, page URL, and potentially sensitive DOM content.
Stored XSS vulnerability disclosed in AVideo TopMenu plugin
A medium-severity stored cross-site scripting flaw affecting the AVideo TopMenu plugin was publicly reported. The issue could let attackers inject JavaScript that steals session tokens and potentially take over user or administrator accounts across globally rendered pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
GHSA-93VF-569F-22CQ: GHSA-93VF-569F-22CQ: CSS Injection in PHP rhukster/dom-sanitizer via SVG Style Tags | CVEReports
cvereports.com
Open sourceGHSA-GMPC-FXG2-VCMQ: GHSA-GMPC-FXG2-VCMQ: Stored Cross-Site Scripting (XSS) in AVideo TopMenu Plugin | CVEReports
cvereports.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SSRF in Saloon PHP and Auth Model Leak in AVideo Expose Sensitive Data
Two newly disclosed vulnerabilities expose sensitive information in widely used web application components. **CVE-2026-33182** affects **Saloon PHP** and allows unauthenticated, network-based **server-side request forgery (SSRF)** that can leak API credentials and session tokens, potentially granting attackers access to integrated third-party services and enabling misuse of those external environments. The issue carries a **CVSS 4.0 score of 6.6** and is described as a high-confidentiality-impact flaw, with the host application's local database remaining intact even as connected systems may be exposed. A separate issue, **CVE-2026-33501**, affects the **WWBN AVideo Permissions Plugin** and discloses an application's internal authorization model by revealing mappings between user groups and specific plugins. Although rated lower at **CVSS v3.1 5.3** and not associated with credential or personally identifiable information exposure, the flaw provides valuable reconnaissance that can help attackers identify privileged roles, map the attack surface, and support follow-on privilege escalation attempts against vulnerable authenticated extensions.
Mar 26, 2026
Multiple Critical AVideo Flaws Enable Takeover, Session Hijacking, and SSRF
WWBN **AVideo** was found to contain multiple high-severity vulnerabilities that can let attackers seize control of deployments, hijack user sessions, and access internal network resources. On uninitialized instances running version **25.0 or earlier**, `install/checkConfiguration.php` could be abused without authentication to complete setup, create an administrator account, and write configuration files, enabling full application takeover under **CVE-2026-33038**. Separate insecure defaults in the official Docker deployment path, tracked as **CVE-2026-33037**, left new installations exposed to immediate administrative compromise because the admin password defaulted to **"password"** and database credentials defaulted to `avideo/avideo`, with no forced password change or effective hardening. AVideo also exposed users and infrastructure through web-facing flaws in session handling and URL fetching. Under **CVE-2026-33043**, `/objects/phpsessionid.json.php` disclosed active PHP session IDs to unauthenticated requests, and permissive CORS behavior could allow cross-origin session theft and account takeover. Two SSRF issues affected the unauthenticated `plugin/LiveLinks/proxy.php` endpoint: **CVE-2026-33039** allowed redirect-based bypass of URL safety checks in version **25.0 and earlier**, while **CVE-2026-33480** showed that `isSSRFSafeURL()` could also be bypassed with IPv4-mapped IPv6 addresses, extending exposure through version **26.0** and enabling access to localhost, RFC1918 networks, and cloud metadata services. WWBN issued fixes in **AVideo 26.0** for most of the disclosed flaws, with an additional patch published for the IPv6-based SSRF bypass.
Jun 8, 2026
AVideo Flaws Enable Remote Code Execution via Command Injection and Malicious Plugin Upload
WWBN **AVideo** versions up to and including `26.0` are affected by two high-severity flaws that can lead to **remote code execution**. `CVE-2026-33482` is an OS command injection bug in `sanitizeFFmpegCommand()`, which strips some shell metacharacters but fails to remove bash command substitution using `$()`. Because the resulting `ffmpeg` command is later executed in a double-quoted `sh -c` context by `execAsync()`, an attacker able to craft a valid encrypted payload can run arbitrary commands on the standalone encoder server. A separate issue, `CVE-2026-33507`, allows unauthenticated code execution through the plugin import workflow. The `objects/pluginImport.json.php` endpoint permits admin users to upload and install plugin ZIP archives containing executable PHP, but lacks **CSRF** protection; with `session.cookie_samesite = 'None'` on HTTPS connections, an attacker can trick a logged-in administrator into silently importing a malicious plugin and deploying a PHP webshell. Fixes were introduced in commits `25c8ab90269e3a01fb4cf205b40a373487f022e1` and `d1bc1695edd9ad4468a48cea0df6cd943a2635f3`.
Mar 23, 2026