CVE-2026-34716 MEDIUM

CVE-2026-34716: AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

Vendor Wwbn
Product AVideo
Weakness CWE-79 · XSS
Published March 31, 2026
Last update April 3, 2026
View on NVD All CVEs

CVSS base score

6.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user's browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

March 31, 2026 CVE published
April 3, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-46075 WordPress Contact Form Builder, Contact Widget Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS) CVE-2024-35649 WordPress Save as PDF Plugin by Pdfcrowd plugin <= 3.2.3 - Cross Site Scripting (XSS) vulnerability CVE-2021-32670 Reflected cross-site scripting issue in Datasette CVE-2025-31742 WordPress Dima Take Action Plugin <= 1.0.5 - Cross Site Scripting (XSS) vulnerability CVE-2025-32548 WordPress Hamburger Icon Menu Lite Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability