WWBN AVideo is an open source video platform. In versions up to and including 26.0, the "view/forbiddenPage.php" and "view/warningPage.php" templates reflect the "$_REQUEST['unlockPassword']" parameter directly into an HTML "<input>" tag's attributes without any output encoding or sanitization. An attacker can craft a URL that breaks out of the "value" attribute and injects arbitrary HTML attributes including JavaScript event handlers, achieving reflected XSS against any visitor who clicks the link. Commit f154167251c9cf183ce09cd018d07e9352310457 contains a patch.