CVE-2026-34739 — Cross-site Scripting in Avideo

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

6.1MEDIUMNVD

EPSS

0.0%

top 91.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

PublishedMar 31

Latest updateApr 1

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

🔴Vulnerability Details

GHSA

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php↗2026-04-01

▶

OSV

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php↗2026-04-01

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34739 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶