Stored Cross-Site Scripting in WWBN AVideo Open Source Video Platform
CVE-2026-45580

5.4MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45580?

WWBN AVideo, an open source video platform, contains a vulnerability that allows for stored cross-site scripting (XSS). In versions up to 29.0, the Live plugin improperly exposes live transmission stream keys in an HTML class attribute without adequate escaping measures. This flaw allows users with streaming capabilities to inject malicious JavaScript, which can then be executed by any visitor to the live stream page, whether they are logged in or not. This presents a significant risk as attackers could leverage this to execute unauthorized actions or extract sensitive information from users.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-m...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45580 Data

JSON

Wwbn

What is CVE-2026-45580?

Affected Version(s)

References

CVSS V3.1

Timeline