CVE-2026-43878
Received Received - Intake
Meet Plugin Reflected XSS in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browser in the context of the AVideo origin. No authentication is required if a public Meet schedule exists on the target. Commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43878
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser within the context of the AVideo origin by exploiting unescaped user input in a script block. Such cross-site scripting (XSS) vulnerabilities can lead to unauthorized access to user data, session hijacking, or other malicious actions.

Because of these risks, the vulnerability could impact compliance with data protection regulations such as GDPR and HIPAA, which require adequate security measures to protect personal and sensitive information from unauthorized access or disclosure.

Failure to address this vulnerability may result in non-compliance with these standards due to potential data breaches or exposure of protected health information (PHI) or personally identifiable information (PII).

Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the plugin/Meet/iframe.php file, where the user and pass query parameters are inserted into a JavaScript double-quoted string literal inside a <script> block without proper escaping. Because these parameters are attacker-controlled, an attacker can craft a URL that breaks out of the string context and executes arbitrary JavaScript code in the victim's browser within the AVideo origin.

No authentication is required to exploit this vulnerability if a public Meet schedule exists on the target, making it easier for attackers to leverage.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser on the AVideo platform. This can lead to several impacts including theft of sensitive information such as cookies or session tokens, performing actions on behalf of the victim, or redirecting the victim to malicious sites.

Since no authentication is required if a public Meet schedule exists, attackers can easily exploit this vulnerability to target users without needing credentials.

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version later than 29.0 where the issue in plugin/Meet/iframe.php has been fixed, as indicated by commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b.

Additionally, consider restricting access to public Meet schedules or disabling the affected plugin if an immediate update is not possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart