Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. An attacker who can set a plugin configuration value (either as a compromised admin or by chaining with CSRF on admin/save.json.php) can inject arbitrary JavaScript that executes whenever any administrator visits the plugin configuration page. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via plugin configuration values
Action: Assess Impact
AI Analysis

Impact

The vulnerability is a stored XSS flaw in the AVideo admin panel. Plugin configuration values are rendered directly into HTML without encoding. An attacker who can set a plugin configuration value—either by gaining administrator privileges or by chaining a CSRF attack on the admin/save.json.php endpoint—can inject arbitrary JavaScript. When any administrator loads the plugin configuration page, the malicious script runs in the admin’s browser context, potentially leading to session hijacking, credential theft, or other malicious actions within the web application.

Affected Systems

The flaw affects WWBN AVideo versions 26.0 and earlier. No public patch is available at the time of publication.

Risk and Exploitability

The CVSS base score of 6.1 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog. Exploitation requires the attacker to influence configuration values, which typically means having compromised an administrator account or successfully conducting a CSRF attack. The attack vector is likely local to the admin context, limiting the scope of impact to users with administrative privileges.

Generated by OpenCVE AI on April 2, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for the latest AVideo release and apply any updates that address this issue.
  • If no updated release is available, restrict administrative access to the configuration pages until a patch is released.
  • Apply temporary code changes that apply htmlspecialchars() or equivalent output encoding to plugin configuration values rendered in the admin interface.
  • Deploy a web application firewall or enforce a content‑security‑policy header to mitigate effects of any injected scripts.
  • Monitor application logs for unauthorized configuration changes and investigate any suspicious activity.

Generated by OpenCVE AI on April 2, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4h7-3x43-qqw4 AVideo has Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. An attacker who can set a plugin configuration value (either as a compromised admin or by chaining with CSRF on admin/save.json.php) can inject arbitrary JavaScript that executes whenever any administrator visits the plugin configuration page. At time of publication, there are no publicly available patches.
Title AVideo: Stored XSS via Unescaped Plugin Configuration Values in Admin Panel
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:53:38.902Z

Reserved: 2026-03-27T13:45:29.619Z

Link: CVE-2026-34396

cve-icon Vulnrichment

Updated: 2026-04-01T15:48:11.087Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:30.970

Modified: 2026-04-01T20:34:13.037

Link: CVE-2026-34396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:43Z

Weaknesses