Cross-Site Scripting Vulnerability in WWBN AVideo Video Platform
CVE-2026-43878

6.1MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43878?

The WWBN AVideo platform, a widely-used open-source solution for video management, is vulnerable to Cross-Site Scripting attacks. In versions up to and including 29.0, a flaw in the plugin file 'Meet/iframe.php' allows an attacker to send a specially crafted URL that includes user and password parameters. This unescaped input can be injected into a JavaScript block, enabling the execution of arbitrary JavaScript code in a victim's browser. Notably, this vulnerability does not require authentication if a public Meet schedule is available, making it particularly dangerous. Users are encouraged to upgrade to the latest version, as the issue has been addressed in commit 3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-m...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/3298ced2bcf92e4f3ac...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43878 Data

JSON

Wwbn

What is CVE-2026-43878?

Affected Version(s)

References

CVSS V3.1

Timeline