CVE-2026-45580 MEDIUM

CVE-2026-45580: WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

Vendor Wwbn

Product AVideo

Weakness CWE-79 · XSS

Published May 29, 2026

Last update June 2, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.

Key dates

Disclosure timeline

May 29, 2026 CVE published

June 2, 2026 Record updated