CVE-2026-34716
Stored XSS in WWBN AVideo YPTSocket Plugin Enables Remote Code Execution
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute arbitrary code in the browsers of online users via a cross-site scripting (XSS) attack. This can lead to unauthorized access to user data or session hijacking.
Such unauthorized access or data exposure could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access or breaches.
However, the provided information does not explicitly state the impact on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability exists in the WWBN AVideo platform, specifically in the YPTSocket plugin's caller feature in versions 26.0 and prior. The plugin uses the jQuery Toast Plugin to display incoming call notifications by passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML and inserts it into the DOM using jQuery's .html() method, which executes any embedded HTML or script content. An attacker can exploit this by setting their display name to include malicious script code (an XSS payload). When the attacker initiates a call, the malicious code executes in the browsers of any online users connected to the WebSocket, without requiring any further interaction from the victims.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary script code in the browsers of users connected to the WWBN AVideo platform. This can lead to unauthorized actions such as stealing session cookies, hijacking user accounts, defacing the user interface, or performing other malicious activities within the context of the affected users' sessions. Since the attack requires no user interaction beyond being connected, it poses a significant risk to user security and privacy.
What immediate steps should I take to mitigate this vulnerability?
At the time of publication, there are no publicly available patches for this vulnerability.
As an immediate mitigation, consider restricting or monitoring WebSocket connections to the AVideo YPTSocket plugin, especially calls that could trigger the vulnerable toast notifications.
Additionally, review and limit user input that can be used as the caller's display name to prevent injection of malicious scripts.
Implementing Content Security Policy (CSP) headers to restrict script execution may also help reduce the impact of potential XSS payloads.