Stored Cross-Site Scripting Vulnerability in AVideo Meet Plugin
CVE-2026-60092
5.1MEDIUM
What is CVE-2026-60092?
The AVideo Meet plugin has a stored cross-site scripting vulnerability due to improper handling of the User-Agent header. When an unauthenticated user joins a public meeting, their User-Agent string is logged directly without any sanitization. This payload can later execute in the browser sessions of hosts and administrators who view the participant list, exposing them to potential attacks whenever they access the Participants management panel.
