CVE-2026-34716 is a reflected cross-site scripting (XSS) vulnerability found in WWBN AVideo, an open-source video platform, specifically affecting versions 26.0 and prior. The vulnerability exists in the YPTSocket plugin's caller feature, which handles incoming call notifications by rendering the caller's display name using the jQuery Toast Plugin. The plugin constructs the notification heading as raw HTML by concatenating the display name within <h2> tags and inserts it into the DOM using jQuery's .html() method. This method parses and executes any embedded HTML or JavaScript code, and because the display name is not sanitized or escaped, an attacker can inject malicious scripts. By setting their display name to a crafted XSS payload, an attacker can execute arbitrary JavaScript in the browsers of any online users connected to the WebSocket simply by initiating a call. This attack requires no victim interaction beyond being connected and online, making it highly exploitable. The vulnerability impacts confidentiality and integrity by enabling session hijacking, credential theft, or other malicious actions via script execution. At the time of disclosure, no patches or official fixes are available, and no public exploits have been observed. The CVSS v3.1 score of 6.4 reflects a medium severity with network attack vector, low complexity, privileges required, no user interaction, and a scope change due to affecting other users' browsers.

The primary impact of CVE-2026-34716 is the potential for attackers to execute arbitrary JavaScript code in the browsers of users connected to the WWBN AVideo platform. This can lead to theft of sensitive information such as session cookies, user credentials, or other personal data, enabling account compromise and unauthorized access. Additionally, attackers could perform actions on behalf of victims, manipulate the user interface, or spread malware. Since the attack requires no user interaction beyond being online, it can be triggered silently and broadly, increasing the risk of widespread exploitation in environments where AVideo is used for video streaming or conferencing. The vulnerability affects the integrity and confidentiality of user data and communications but does not impact system availability directly. Organizations relying on AVideo for internal or external communications may face reputational damage, data breaches, and compliance violations if exploited.

To mitigate CVE-2026-34716, organizations should immediately restrict or monitor usage of the YPTSocket plugin's caller feature until a patch is available. Administrators can disable or remove the plugin to prevent the vulnerable code path from executing. If disabling is not feasible, implement input validation and output encoding on the caller display name to sanitize any HTML or script content before rendering. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of injected scripts. Regularly monitor network traffic and WebSocket connections for suspicious call initiation patterns. Educate users about the risk and encourage use of updated browsers with built-in XSS protections. Finally, track vendor communications for official patches or updates and apply them promptly once released. Avoid relying solely on client-side mitigations, as the vulnerability stems from server-side input handling.