Medium severity5.4GHSA Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-45580
CVE-2026-45580
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a stored cross-site scripting vulnerability. The Live plugin's "YouTube-style" view renders the live transmission's stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream's live page executes attacker JavaScript in the platform origin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
WWBN/AVideoPackagist | <= 29.0 | — |
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/WWBN/AVideo/security/advisories/GHSA-m5j4-7r85-2cj2nvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-m5j4-7r85-2cj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-45580ghsaADVISORY
News mentions
1- WWBN AVideo: Nine Bugs Disclosed Together — From Wallet Fraud to RCEVypr Intelligence · May 29, 2026