CVE-2026-45580 PUBLISHED

WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

Assigner: GitHub_M
Reserved: 12.05.2026 Published: 29.05.2026 Updated: 29.05.2026

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WWBN
Product	AVideo
Versions	Version <= 29.0 is affected

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE