CVE-2026-45580: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
AI Analysis
Technical Summary
CVE-2026-45580 is a stored cross-site scripting vulnerability in WWBN AVideo (<= 29.0) affecting the Live plugin. The issue occurs because the stream key is output directly into an HTML class attribute without htmlspecialchars() encoding, enabling an attacker with canStream privileges to inject JavaScript via the stream key through plugin/Live/saveLive.php. This malicious script executes in the browser of any user visiting the live stream page, regardless of authentication status. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Potential Impact
An attacker with canStream privileges can inject persistent JavaScript that executes in the context of the platform for any visitor to the live stream page. This can lead to limited confidentiality and integrity impacts such as theft of user session data or manipulation of page content. There is no impact on availability. The vulnerability requires some user interaction (visiting the live page) and privileges to inject the payload.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict canStream privileges to trusted users only to reduce risk. Avoid visiting untrusted live stream pages on affected versions. Monitor vendor channels for official patches or updates addressing this vulnerability.
CVE-2026-45580: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45580 is a stored cross-site scripting vulnerability in WWBN AVideo (<= 29.0) affecting the Live plugin. The issue occurs because the stream key is output directly into an HTML class attribute without htmlspecialchars() encoding, enabling an attacker with canStream privileges to inject JavaScript via the stream key through plugin/Live/saveLive.php. This malicious script executes in the browser of any user visiting the live stream page, regardless of authentication status. The vulnerability is classified under CWE-79 and has a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Potential Impact
An attacker with canStream privileges can inject persistent JavaScript that executes in the context of the platform for any visitor to the live stream page. This can lead to limited confidentiality and integrity impacts such as theft of user session data or manipulation of page content. There is no impact on availability. The vulnerability requires some user interaction (visiting the live page) and privileges to inject the payload.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict canStream privileges to trusted users only to reduce risk. Avoid visiting untrusted live stream pages on affected versions. Monitor vendor channels for official patches or updates addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-12T19:00:14.601Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a19993ae29bf47b50eaf56c
Added to database: 5/29/2026, 1:48:42 PM
Last enriched: 5/29/2026, 2:05:43 PM
Last updated: 5/31/2026, 4:58:30 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.