Skip to main content

Avideo CVE-2026-34716

| EUVDEUVD-2026-17646 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-31 GitHub_M GHSA-w4hp-w536-jg64
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 21:14 euvd
EUVD-2026-17646
Analysis Generated
Mar 31, 2026 - 21:14 vuln.today
CVE Published
Mar 31, 2026 - 20:49 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.

AnalysisAI

Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.

Technical ContextAI

WWBN AVideo's YPTSocket plugin implements real-time call notifications using the jQuery Toast Plugin library. The vulnerability stems from unsafe DOM manipulation in the notification rendering logic: the plugin passes the caller's display name directly to the toast heading parameter without sanitization, and the jQuery Toast Plugin constructs the heading using string concatenation ('<h2>' + heading + '</h2>') before inserting it via jQuery's .html() method. The .html() method parses and executes embedded HTML and JavaScript, bypassing Content Security Policy protections if not configured. This is a classic example of CWE-79 (Improper Neutralization of Input During Web Page Generation) where user-controlled data enters an unsafe rendering pipeline. The attack requires WebSocket connectivity, meaning the victim must be actively logged into the AVideo platform and the attacker must have a valid user account to establish call signaling.

RemediationAI

At the time of this analysis, no vendor-released patch is available per the official GitHub Security Advisory (https://github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64). Users should implement immediate mitigations: (1) Implement Content Security Policy (CSP) headers with 'script-src' restricting inline and eval execution to prevent XSS payload execution, though this does not address the root cause; (2) Disable or restrict the YPTSocket plugin/caller feature if not essential; (3) Enforce strict input validation on display name fields server-side, sanitizing all HTML special characters (< > & ' ") before storage and rendering; (4) Apply HTML entity encoding to the display name output before inserting into the DOM, replacing the unsafe .html() call with .text() or proper escaping libraries. Monitor the GitHub Security Advisory for patched version announcements and upgrade immediately upon availability. Contact WWBN support for guidance on patch timelines.

More in Avideo

View all
CVE-2023-48728 CRITICAL POC
9.6 Jan 10

A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.

CVE-2024-31819 CRITICAL POC
9.8 Apr 10

An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath

CVE-2022-30547 CRITICAL POC
9.9 Aug 22

A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit

CVE-2023-49599 CRITICAL POC
9.8 Jan 10

An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed

CVE-2026-28501 CRITICAL POC
9.8 Mar 06

Unauthenticated SQL injection in AVideo before 24.0.

CVE-2023-25313 CRITICAL POC
9.8 Apr 25

OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit

CVE-2022-26842 CRITICAL POC
9.6 Aug 22

A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.

CVE-2023-47861 CRITICAL POC
9.0 Jan 10

A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and

CVE-2022-28712 CRITICAL POC
9.0 Aug 22

A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co

CVE-2023-49589 HIGH POC
8.8 Jan 10

An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi

CVE-2023-32073 HIGH POC
8.8 May 12

WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable

CVE-2023-30854 HIGH POC
8.8 Apr 28

AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

Share

CVE-2026-34716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy