CVE-2026-34716 - Vulnerability Details

- AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can set a malicious display name for the caller in the YPTSocket plugin of AVideo. The plugin renders this name directly into a toast heading using raw HTML and jQuery's .html() method. Because no sanitization occurs, the browser parses and executes any injected script, allowing arbitrary code execution in the victim’s browser. This leads to session hijacking, data theft, or delivery of malware, with no user interaction beyond receiving a call.

Affected Systems

The vulnerability exists in the WWBN AVideo open‑source video platform, affecting all releases 26.0 and older. No other versions or variants are noted.

Risk and Exploitability

The CVSS base score is 6.4, indicating a moderate to high severity. The EPSS score is below 1% and the issue is not listed in CISA’s KEV catalog, so the overall likelihood of exploitation is low at present. However, the attack vector is inferred to be via an active WebSocket connection; an attacker can trigger the vulnerable toast by initiating a call to a victim without any further action on the victim’s part. Without a published patch, this remains a high‑value target for automated scripts that can scan for vulnerable installations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Configure a strict Content Security Policy that blocks inline scripts and restricts the origins that can load scripts

Generated by OpenCVE AI on April 2, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w4hp-w536-jg64	AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64

History

Fri, 03 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
CPEs		cpe:2.3:a:wwbn:avideo::::::::
Vendors & Products		Wwbn Wwbn avideo

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.
Title		AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Weaknesses		CWE-79
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:49:21.543Z

Updated: 2026-04-03T16:31:32.865Z

Reserved: 2026-03-30T18:41:20.752Z

Link: CVE-2026-34716

Vulnrichment

Updated: 2026-04-03T16:31:25.863Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.607

Modified: 2026-04-01T18:37:08.250

Link: CVE-2026-34716

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:40Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object