Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.
AnalysisAI
Stored cross-site scripting (XSS) in WWBN AVideo versions 26.0 and prior allows authenticated attackers to execute arbitrary JavaScript in the browsers of online users without any victim interaction. An attacker with a user account can set their display name to an XSS payload; when they initiate a call via the YPTSocket plugin, the caller notification rendered by the jQuery Toast Plugin executes the malicious script in every connected user's browser, enabling session hijacking, credential theft, or further compromise. CVSS 6.4 reflects moderate complexity due to authentication requirement and limited direct impact scope.
Technical ContextAI
WWBN AVideo's YPTSocket plugin implements real-time call notifications using the jQuery Toast Plugin library. The vulnerability stems from unsafe DOM manipulation in the notification rendering logic: the plugin passes the caller's display name directly to the toast heading parameter without sanitization, and the jQuery Toast Plugin constructs the heading using string concatenation ('<h2>' + heading + '</h2>') before inserting it via jQuery's .html() method. The .html() method parses and executes embedded HTML and JavaScript, bypassing Content Security Policy protections if not configured. This is a classic example of CWE-79 (Improper Neutralization of Input During Web Page Generation) where user-controlled data enters an unsafe rendering pipeline. The attack requires WebSocket connectivity, meaning the victim must be actively logged into the AVideo platform and the attacker must have a valid user account to establish call signaling.
RemediationAI
At the time of this analysis, no vendor-released patch is available per the official GitHub Security Advisory (https://github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64). Users should implement immediate mitigations: (1) Implement Content Security Policy (CSP) headers with 'script-src' restricting inline and eval execution to prevent XSS payload execution, though this does not address the root cause; (2) Disable or restrict the YPTSocket plugin/caller feature if not essential; (3) Enforce strict input validation on display name fields server-side, sanitizing all HTML special characters (< > & ' ") before storage and rendering; (4) Apply HTML entity encoding to the display name output before inserting into the DOM, replacing the unsafe .html() call with .text() or proper escaping libraries. Monitor the GitHub Security Advisory for patched version announcements and upgrade immediately upon availability. Contact WWBN support for guidance on patch timelines.
A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath
A directory traversal vulnerability exists in the unzipDirectory functionality of WWBN AVideo 11.6 and dev master commit
An insufficient entropy vulnerability exists in the salt generation functionality of WWBN AVideo dev master commit 15fed
Unauthenticated SQL injection in AVideo before 24.0.
OS injection vulnerability in World Wide Broadcast Network AVideo version before 12.4, allows attackers to execute arbit
A reflected cross-site scripting (xss) vulnerability exists in the charts tab selection functionality of WWBN AVideo 11.
A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and
A cross-site scripting (xss) vulnerability exists in the videoAddNew functionality of WWBN AVideo 11.6 and dev master co
An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVi
WWBN AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable
AVideo is an open source video platform. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17646
GHSA-w4hp-w536-jg64