CVE-2026-45580: Wwbn Avideo Stored XSS Vulnerability

CVE-2026-45580 Overview

CVE-2026-45580 is a stored cross-site scripting (XSS) vulnerability in WWBN AVideo, an open source video platform. The flaw affects version 29.0 and earlier. The Live plugin's YouTube-style view renders a stream key into an HTML class attribute using raw output, without passing the value through htmlspecialchars(). A user with the canStream permission can persist a stream key containing a double-quote character followed by an HTML event handler. Any visitor opening the stream's live page then executes attacker-controlled JavaScript in the platform origin. The vulnerability is tracked as [CWE-79].

Critical Impact
Authenticated streamers can inject persistent JavaScript that executes in every visitor's browser session within the AVideo origin, enabling session theft and account takeover.

Affected Products

WWBN AVideo 29.0
WWBN AVideo earlier than 29.0
AVideo deployments running the Live plugin

Discovery Timeline

2026-05-29 - CVE-2026-45580 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-45580

Vulnerability Analysis

The vulnerability resides in the Live plugin's YouTube-style player view. The view template emits the stream key directly into an HTML class attribute using a raw PHP echo. Because the output is not encoded through htmlspecialchars(), an attacker can break out of the attribute context. Injecting a double-quote terminates the class attribute and allows the attacker to append arbitrary attributes, including JavaScript event handlers such as onmouseover or onerror.

The stream key is persisted server-side through plugin/Live/saveLive.php, making the payload stored rather than reflected. Every page load of the affected live stream re-executes the malicious payload. Because rendering happens for both authenticated and anonymous viewers, the attack surface includes the entire visitor population of the live stream.

Root Cause

The root cause is missing output encoding [CWE-79]. The Live plugin trusts the stream key value as it was stored, rather than treating it as untrusted data when rendering HTML. Input validation at the saveLive.php endpoint also fails to constrain the character set of stream keys, permitting quote characters and HTML syntax.

Attack Vector

An attacker requires an account with the canStream capability. The attacker submits a crafted stream key through the Live plugin save endpoint. The payload uses an attribute-break sequence such as a double-quote followed by an event handler and JavaScript. When any visitor loads the YouTube-style live page, the browser parses the injected attribute and executes the JavaScript in the AVideo origin. This enables theft of session cookies, CSRF token exfiltration, and actions performed on behalf of the viewer.

No verified public proof-of-concept is available. See the GitHub Security Advisory GHSA-m5j4-7r85-2cj2 for vendor details.

Detection Methods for CVE-2026-45580

Indicators of Compromise

Stream key values stored in the AVideo database containing characters such as ", <, >, or substrings like onerror=, onmouseover=, or javascript:.
HTTP POST requests to plugin/Live/saveLive.php with body parameters that include HTML attribute-break sequences in the stream key field.
Outbound requests from visitor browsers to unexpected domains immediately after viewing a live stream page.

Detection Strategies

Inspect rendered HTML of live stream pages for class attributes containing unbalanced quotes or unexpected event handler attributes.
Audit the live_transmissions table and related Live plugin records for stream keys that do not match the expected alphanumeric format.
Review web server access logs for saveLive.php submissions originating from low-privilege accounts that recently gained canStream rights.

Monitoring Recommendations

Enable Content Security Policy (CSP) reporting to capture inline script and event-handler violations on live pages.
Alert on anomalous JavaScript execution patterns and credential-harvesting fetches from authenticated AVideo sessions.
Track creation and modification events on Live plugin configuration tables to identify tampering.

How to Mitigate CVE-2026-45580

Immediate Actions Required

Upgrade AVideo to a version later than 29.0 once the vendor publishes a fixed release referenced in the GitHub Security Advisory.
Audit existing stream keys and purge any value containing HTML metacharacters or event handler substrings.
Restrict assignment of the canStream permission to trusted accounts only and review recent grants.

Patch Information

Refer to the vendor advisory at GHSA-m5j4-7r85-2cj2 for fix availability and upgrade instructions. The fix requires applying htmlspecialchars() (or equivalent context-aware encoding) to the stream key prior to emission in the Live plugin view, and tightening input validation in plugin/Live/saveLive.php.

Workarounds

Apply server-side input validation that limits stream keys to a strict alphanumeric character set before storage.
Deploy a Web Application Firewall (WAF) rule blocking POST requests to plugin/Live/saveLive.php whose stream key field contains ", <, >, or on[a-z]+= patterns.
Implement a strict Content Security Policy that disallows inline event handlers and inline scripts on live stream pages.
Temporarily disable the Live plugin or the YouTube-style view until the patch is applied.

bash

# Example WAF rule (ModSecurity) blocking attribute-break payloads in stream key submissions
SecRule REQUEST_URI "@endsWith /plugin/Live/saveLive.php" \
    "chain,phase:2,deny,status:403,id:1045580,msg:'CVE-2026-45580 AVideo Live XSS attempt'"
    SecRule ARGS:streamKey "@rx (?i)(\"|<|>|on[a-z]+\s*=|javascript:)" \
        "t:none,t:urlDecodeUni"