CVE-2026-45580

by Fred · 29/05/2026

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin’s “YouTube-style” view renders the live transmission’s stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing ” plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream’s live page executes attacker JavaScript in the platform origin.

More information : https://github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2

CVE-2026-45580

Similar

Recent Posts

Categories

CVE-2026-45580

Share this:

Similar

Recent Posts

Categories

Tags