CVE-2026-34739 - Vulnerability Details

- AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the testIP.php page of the User_Location plugin where the ip request parameter is reflected directly into an HTML input field without applying any output encoding. This omission allows an attacker to inject arbitrary HTML and JavaScript into the page, leading to a reflected cross‑site scripting (XSS) flaw.

Affected Systems

The flaw affects the open‑source AVideo video platform produced by WWBN. Versions 26.0 and earlier of the platform, when the User_Location plugin is installed, are vulnerable. The testIP.php script is intended for use only by administrator users.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity vulnerability. The EPSS score is below 1%, and the flaw is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. However, because the platform sets SameSite=None for its authentication cookies, a malicious URL containing a crafted ip value can be used to lure an administrator to execute JavaScript in the context of their authenticated session. The likely attack vector is a phishing or social engineering attempt that convinces an admin to click the malicious link.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 26.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,26.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch from WWBN as soon as it becomes available.
Monitor the WWBN GitHub security advisories or release notes for a fix.
If possible, change the SameSite cookie setting to Lax or Strict to reduce cross‑origin execution risk.
Limit exposure of the testIP.php page by ensuring it is only reachable to trusted administrators and by avoiding distribution of untrusted links.

Generated by OpenCVE AI on April 2, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-jqrj-chh6-8h78	AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-jqrj-chh6-8h78

History

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
CPEs		cpe:2.3:a:wwbn:avideo::::::::
Vendors & Products		Wwbn Wwbn avideo
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.
Title		AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php
Weaknesses		CWE-79
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-jqrj-chh6-8h78
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T20:56:16.167Z

Updated: 2026-04-01T13:38:13.352Z

Reserved: 2026-03-30T18:41:20.755Z

Link: CVE-2026-34739

Vulnrichment

Updated: 2026-04-01T13:37:57.663Z

NVD

Status : Analyzed

Published: 2026-03-31T21:16:32.563

Modified: 2026-04-01T18:42:45.887

Link: CVE-2026-34739

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:10:35Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object