Main Vulnerability Database Vulnerabilities #VU129525

Cross-site scripting in AVideo - CVE-2026-34396

Published: May 4, 2026

Vulnerability identifier: #VU129525

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-34396

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary script code in a victim's browser in the context of the admin panel.

The vulnerability exists due to improper neutralization of input during web page generation in plugin configuration values in the admin panel when rendering stored configuration data. A remote attacker can inject specially crafted configuration values to execute arbitrary script code in a victim's browser in the context of the admin panel.

User interaction is required for an administrator to view the affected admin panel content.

How to mitigate CVE-2026-34396

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-v4h7-3x43-qqw4

Cross-site scripting in AVideo - CVE-2026-34396

Detailed vulnerability description

How to mitigate CVE-2026-34396

Sources

Please verify you're human