CVE-2026-43878
Received Received - Intake
Meet Plugin Reflected XSS in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browser in the context of the AVideo origin. No authentication is required if a public Meet schedule exists on the target. Commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-43878
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the plugin/Meet/iframe.php file, where the user and pass query parameters are inserted into a JavaScript double-quoted string literal inside a <script> block without proper escaping. Because these parameters are attacker-controlled, an attacker can craft a URL that breaks out of the string context and executes arbitrary JavaScript code in the victim's browser within the AVideo origin.

No authentication is required to exploit this vulnerability if a public Meet schedule exists on the target, making it easier for attackers to leverage.


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary JavaScript in the context of the victim's browser on the AVideo platform. This can lead to several impacts including theft of sensitive information such as cookies or session tokens, performing actions on behalf of the victim, or redirecting the victim to malicious sites.

Since no authentication is required if a public Meet schedule exists, attackers can easily exploit this vulnerability to target users without needing credentials.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update WWBN AVideo to a version later than 29.0 where the issue in plugin/Meet/iframe.php has been fixed, as indicated by commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b.

Additionally, consider restricting access to public Meet schedules or disabling the affected plugin if an immediate update is not possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart