CVE-2026-45580 - Vulnerability Details

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.

Published: 2026-05-29

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A video platform contains a stored cross‑site scripting flaw that allows an attacker to embed malicious code in the stream key for a live broadcast. When the key is stored, the software echoes it directly into an HTML class attribute without escaping. Any person who visits the live page – whether logged in or anonymous – will execute the embedded JavaScript in the context of the site. This can lead to theft of credentials, session hijacking or other malicious actions within the platform’s domain.

Affected Systems

The vulnerability exists in the open source video platform provided by WWBN in all releases version 29.0 and earlier. It is triggered via the Live plugin’s YouTube‑style view and can be introduced through the Live/saveLive.php interface by any user with canStream permissions. All downstream users who access the affected stream’s page are potentially exposed.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker requires the ability to add or edit a stream key, which is granted to users with canStream permissions. Once a malicious key is stored, any visitor to the live page triggers the payload, making exploitation straightforward for attackers who can create or manipulate live streams. The lack of request‑time validation and proper output encoding directly contributes to the risk of exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WWBN

AVideo

affected

Version	Status	Constraints
`<= 29.0`	affected	—

No data.

Vendor Product Confidence Versions

Wwbn

Avideo

100%

Version	Status	Scheme	Platform
`[0,29.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest version of AVideo, which removes the unescaped output of the stream key
If an upgrade is not immediately possible, implement input sanitization on the stream key to strip or encode special characters such as quotes and disallow event handler attributes
Deploy a web application firewall or content security policy that restricts inline scripting and detects suspicious payloads in class attributes
Verify that only authorized users can create or modify streams by enforcing strict permission checks

Generated by OpenCVE AI on May 29, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m5j4-7r85-2cj2	AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2

History

Fri, 29 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wwbn Wwbn avideo
Vendors & Products		Wwbn Wwbn avideo

Fri, 29 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
Title		WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute
Weaknesses		CWE-79
References		https://github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Wwbn Avideo

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T13:14:49.977Z

Updated: 2026-05-29T13:14:49.977Z

Reserved: 2026-05-12T19:00:14.601Z

Link: CVE-2026-45580

Vulnrichment

No data.

NVD

Status : Undergoing Analysis

Published: 2026-05-29T14:16:30.413

Modified: 2026-05-29T15:06:44.207

Link: CVE-2026-45580

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:30:04Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object