CVE-2026-43878

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.1 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N                                    

Vulnerability Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim's browser in the context of the AVideo origin. No authentication is required if a public Meet schedule exists on the target. Commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b contains an updated fix.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 12, 2026

CWE ID

CWE-79

Source

GitHub

Vendor

composer

Product

wwbn/avideo

External References

https://github.com/WWBN/AVideo/security/advisories/GHSA-mm5f-8q57-4fc4
https://github.com/WWBN/AVideo/commit/3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b
https://github.com/advisories/GHSA-mm5f-8q57-4fc4

CVE-2026-43878

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment