CVE-2026-45580
EUVD-2026-3331129.05.2026, 14:16
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| wwbn | avideo | 𝑥 ≤ 29.0 |
𝑥
= Vulnerable software versions