CVE-2026-60092
Received Received - Intake

Stored XSS in AVideo Meet Plugin via User-Agent Header

Vulnerability report for CVE-2026-60092, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulnCheck

Description

AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored (meet_join_log.user_agent) without sanitization (bypassing AVideo's setter-level xss_esc() layer) and later echoed without output encoding (no htmlspecialchars()) in the Participants management panel, which is accessible to the meeting host and site administrators. An anonymous, unauthenticated attacker can join any public meeting while supplying a User-Agent header containing an HTML/JavaScript payload; the payload is persisted and executes in the privileged, authenticated browser session of the meeting host or a site administrator when they open the participant list. The issue was unpatched at the time of the report.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
avideo meet_plugin *
wwbn avideo to commit_e8d6119f3cb1b849149906efeb0a41fc024f59f8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-60092 is a stored cross-site scripting (XSS) vulnerability in the Meet plugin of AVideo. When a participant joins a public meeting, the raw HTTP User-Agent header they send is stored without proper sanitization, bypassing the usual XSS protection mechanisms.

Later, this unsanitized User-Agent data is displayed in the Participants management panel, which is accessible only to the meeting host and site administrators, without any output encoding. This allows an attacker to inject malicious HTML or JavaScript code that executes in the browser of privileged users when they view the participant list.

An anonymous, unauthenticated attacker can exploit this by joining any public meeting with a specially crafted User-Agent header containing malicious code, which then persists and executes in the context of the meeting host or administrator.

Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts in the browser sessions of meeting hosts or site administrators, potentially leading to privilege escalation.

  • The attacker can perform actions as an administrator, including session theft.
  • It enables cross-site request forgery (CSRF) attacks.
  • Malicious payloads can persist in the system, affecting future sessions when the participant list is viewed.
Detection Guidance

This vulnerability can be detected by monitoring the User-Agent headers of participants joining public meetings for suspicious or malicious HTML/JavaScript payloads.

Since the vulnerability involves stored cross-site scripting via the User-Agent header, you can inspect the meet_join_log.user_agent field in the database for unusual or encoded script tags.

Commands to detect potential exploitation might include querying the database for User-Agent entries containing HTML or JavaScript code patterns.

  • Example SQL query to find suspicious User-Agent entries: SELECT user_agent FROM meet_join_log WHERE user_agent LIKE '%<script%' OR user_agent LIKE '%<img%' OR user_agent LIKE '%onerror=%';
  • Use network monitoring tools (e.g., tcpdump or Wireshark) to capture HTTP headers and filter for User-Agent headers containing suspicious payloads.
  • Example tcpdump command: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'User-Agent:'
Mitigation Strategies

Immediate mitigation steps include preventing untrusted User-Agent headers from being stored or rendered without proper sanitization.

  • Restrict or disable public meetings temporarily to prevent anonymous attackers from joining and injecting malicious payloads.
  • Manually sanitize or encode the User-Agent data before displaying it in the Participants management panel, for example by applying htmlspecialchars() or equivalent output encoding.
  • Review and clean existing stored User-Agent entries in the meet_join_log.user_agent field to remove any malicious scripts.
  • Limit access to the Participants management panel to trusted users only until a patch is available.

Since no patch was available at the time of disclosure, monitoring for updates from the vendor and applying them promptly once released is critical.

Compliance Impact

This vulnerability allows an anonymous attacker to execute stored cross-site scripting (XSS) attacks in the privileged browser sessions of meeting hosts or site administrators by injecting malicious payloads via the User-Agent header. Such unauthorized code execution can lead to session theft, cross-site request forgery (CSRF), and unauthorized actions performed with administrative privileges.

From a compliance perspective, this vulnerability could impact adherence to standards and regulations like GDPR and HIPAA because it compromises the confidentiality and integrity of user sessions and potentially sensitive data accessible to administrators. Unauthorized access or manipulation of administrative functions may lead to data breaches or unauthorized disclosure of personal or protected health information.

Therefore, until patched, this vulnerability poses a risk to maintaining compliance with security requirements mandated by such regulations, which require protection against unauthorized access and ensuring data integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-60092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart