CVE-2026-34396
Received Received - Intake
Stored XSS in WWBN AVideo Admin Plugin Configuration Panel

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. An attacker who can set a plugin configuration value (either as a compromised admin or by chaining with CSRF on admin/save.json.php) can inject arbitrary JavaScript that executes whenever any administrator visits the plugin configuration page. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34396
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 26.0 and prior, where the admin panel renders plugin configuration values in HTML forms without proper output encoding such as htmlspecialchars(). Specifically, the jsonToFormElements() function in admin/functions.php directly inserts user-controlled values into textarea contents, option elements, and input attributes. This allows an attacker who can set a plugin configuration valueβ€”either by compromising an admin account or by exploiting a CSRF vulnerability on admin/save.json.phpβ€”to inject arbitrary JavaScript. This malicious script executes whenever any administrator visits the plugin configuration page.

Impact Analysis

The vulnerability can lead to cross-site scripting (XSS) attacks within the admin panel of the AVideo platform. An attacker injecting JavaScript can execute arbitrary code in the context of the administrator's browser session. This can result in theft of admin credentials, session hijacking, unauthorized actions performed with admin privileges, or further compromise of the system.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include restricting administrative access to trusted users only and preventing attackers from setting plugin configuration values.

Additionally, administrators should avoid visiting the plugin configuration page until a patch or update is released, as visiting this page triggers the execution of injected JavaScript.

Implementing protections against CSRF attacks on admin/save.json.php can also help prevent attackers from chaining exploits to set malicious plugin configuration values.

Compliance Impact

The vulnerability allows an attacker to inject arbitrary JavaScript into the admin panel, which can lead to unauthorized actions or data exposure when administrators visit the plugin configuration page.

Such unauthorized code execution and potential data exposure could negatively impact compliance with standards like GDPR and HIPAA, which require protection of personal data and secure administrative controls.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34396. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart