CVE-2026-34739

| EUVD-2026-17658 MEDIUM
2026-03-31 GitHub_M GHSA-jqrj-chh6-8h78
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch Released
Apr 02, 2026 - 02:30 nvd
Patch available
Analysis Generated
Mar 31, 2026 - 21:14 vuln.today
EUVD ID Assigned
Mar 31, 2026 - 21:14 euvd
EUVD-2026-17658
CVE Published
Mar 31, 2026 - 20:56 nvd
MEDIUM 6.1

Tags

PHP XSS

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.

Analysis

Stored cross-site scripting (XSS) via unencoded HTML reflection in WWBN AVideo's User_Location plugin testIP.php endpoint allows authenticated attackers to execute arbitrary JavaScript in admin sessions. Affecting AVideo 26.0 and earlier, the vulnerability exploits SameSite=None cookie configuration to enable cross-origin exploitation, permitting unauthenticated attackers to lure admins to malicious links that hijack their authenticated context. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2026-34739 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy