Stored Cross-Site Scripting Vulnerability in AVideo Meet Plugin
CVE-2026-60092

5.1MEDIUM

Key Information:

Vendor

Avideo

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-60092?

The AVideo Meet plugin has a stored cross-site scripting vulnerability due to improper handling of the User-Agent header. When an unauthenticated user joins a public meeting, their User-Agent string is logged directly without any sanitization. This payload can later execute in the browser sessions of hosts and administrators who view the participant list, exposing them to potential attacks whenever they access the Participants management panel.

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

tonghuaroot
.