CVE-2026-34716: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
WWBN AVideo versions 26.0 and prior contain an XSS vulnerability in the YPTSocket plugin's caller feature. The plugin uses the jQuery Toast Plugin to render incoming call notifications, inserting the caller's display name directly into the DOM as raw HTML via jQuery's .html() method. This allows an attacker to inject arbitrary HTML or script code by setting their display name to a malicious payload. When the attacker initiates a call, the payload executes in the browsers of all online users connected to the WebSocket, requiring no user interaction beyond being connected. There are no publicly available patches or fixes at the time of this report.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers connected to the AVideo platform. This can lead to theft of session tokens, user impersonation, or other client-side attacks. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Users of WWBN AVideo should monitor the vendor's advisories for updates. As a temporary mitigation, administrators may consider disabling or restricting the YPTSocket plugin's caller feature or filtering/sanitizing user display names before they are rendered. Avoid exposing the vulnerable functionality to untrusted users until an official fix is released.
CVE-2026-34716: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 26.0 and prior contain an XSS vulnerability in the YPTSocket plugin's caller feature. The plugin uses the jQuery Toast Plugin to render incoming call notifications, inserting the caller's display name directly into the DOM as raw HTML via jQuery's .html() method. This allows an attacker to inject arbitrary HTML or script code by setting their display name to a malicious payload. When the attacker initiates a call, the payload executes in the browsers of all online users connected to the WebSocket, requiring no user interaction beyond being connected. There are no publicly available patches or fixes at the time of this report.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of other users' browsers connected to the AVideo platform. This can lead to theft of session tokens, user impersonation, or other client-side attacks. The vulnerability affects confidentiality and integrity but does not impact availability. The CVSS score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
At the time of publication, no official patches or fixes are available for this vulnerability. Users of WWBN AVideo should monitor the vendor's advisories for updates. As a temporary mitigation, administrators may consider disabling or restricting the YPTSocket plugin's caller feature or filtering/sanitizing user display names before they are rendered. Avoid exposing the vulnerable functionality to untrusted users until an official fix is released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T18:41:20.752Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc37c1e6bfc5ba1d4189fe
Added to database: 3/31/2026, 9:08:17 PM
Last enriched: 4/7/2026, 11:18:23 PM
Last updated: 5/16/2026, 8:01:19 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.