Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-34716
Published: April 8, 2026
Vulnerability identifier: #VU125491
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34716
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in the YPTSocket caller notification handling in plugin/YPTSocket/caller.js when processing forged WebSocket call messages. A remote user can send a specially crafted WebSocket call message with a malicious from_identification value to execute arbitrary script code in the victim's browser.
The issue is triggered without user interaction when the victim is online and connected to the WebSocket, and exploitation requires a custom WebSocket client because the normal UI sanitizes display names.
How to mitigate CVE-2026-34716
Install security update from vendor's website.