CVE-2026-56347 Overview
CVE-2026-56347 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in the AVideo TopMenu plugin through version 26.0. The flaw exists in the menu item rendering logic, where icon classes, URLs, and text labels are emitted without proper output encoding. Attackers with the ability to create or modify menu items can inject JavaScript that executes in the browser of every visitor who loads a page containing the rendered menu. Successful exploitation enables session cookie theft, request forgery, and unauthorized actions performed under the victim's authenticated context. AVideo is an open-source video streaming and content management platform, and the TopMenu plugin controls site-wide navigation, which expands the blast radius of injected payloads across the application.
Critical Impact
Stored JavaScript payloads in TopMenu fields execute for all site visitors, enabling session hijacking and unauthorized actions across the AVideo application.
Affected Products
- AVideo TopMenu plugin versions through 26.0
- WWBN AVideo deployments with the TopMenu plugin enabled
- Sites permitting menu item creation or modification by non-administrator roles
Discovery Timeline
- 2026-06-20 - CVE-2026-56347 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-56347
Vulnerability Analysis
The vulnerability resides in the TopMenu plugin's menu rendering code path. When AVideo generates the navigation menu, the plugin reads stored menu item fields from the database and writes them directly into the HTML response. The icon class attribute, URL attribute, and visible text label are concatenated into the output without HTML entity encoding or context-aware escaping. An attacker who can submit menu item data persists a payload such as JavaScript event handlers in attribute contexts or <script> content in text contexts. Every subsequent page render serves the payload to authenticated users and anonymous visitors. Because the TopMenu component appears across the AVideo site, the attack surface includes the administrative interface, increasing the likelihood that a privileged session is hijacked.
Root Cause
The root cause is missing output encoding in the menu item template logic. The plugin trusts stored field values rather than treating them as untrusted data at the rendering boundary. Input filtering on the storage side does not compensate, and there is no per-context escaping applied for HTML attribute values, URL contexts, or HTML element content.
Attack Vector
Exploitation requires network access to the AVideo instance and an account or workflow that permits creating or editing TopMenu entries. The attacker submits a crafted icon class, URL, or label containing JavaScript. The payload triggers when any user, including administrators, loads a page that renders the menu. User interaction is limited to navigating to an affected page.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-gmpc-fxg2-vcmq and the VulnCheck Advisory on AVideo Plugin for advisory-level technical details.
Detection Methods for CVE-2026-56347
Indicators of Compromise
- Menu item records containing <script>, javascript:, onerror=, onload=, or other event handler substrings in icon class, URL, or label fields
- Unexpected outbound requests from user browsers to attacker-controlled domains shortly after navigating to AVideo pages
- Administrator session cookies appearing in web server referrer logs or external telemetry
- Database writes to TopMenu tables from non-administrative accounts or unexpected source IPs
Detection Strategies
- Audit the TopMenu plugin database tables for stored values containing HTML tags, URL schemes other than http/https, or JavaScript event attributes
- Review web server access logs for POST requests to TopMenu administration endpoints originating from low-privilege accounts
- Enable Content Security Policy (CSP) reporting to surface inline script execution attempts within AVideo pages
Monitoring Recommendations
- Forward AVideo application and web server logs to a centralized analytics platform and alert on TopMenu modification events
- Monitor administrator session activity for anomalous request patterns following menu page loads
- Track DOM-based telemetry from endpoint browsers to identify execution of unexpected scripts on trusted AVideo domains
How to Mitigate CVE-2026-56347
Immediate Actions Required
- Upgrade the AVideo TopMenu plugin to a release later than version 26.0 once the maintainers publish a fixed version
- Restrict TopMenu modification permissions to a minimal set of trusted administrators
- Inspect existing menu item records and remove any entries containing HTML tags, JavaScript URIs, or event handler attributes
- Invalidate active administrator sessions and rotate credentials if suspicious menu entries are found
Patch Information
Consult the GitHub Security Advisory GHSA-gmpc-fxg2-vcmq for the authoritative patch status and remediation guidance from the WWBN AVideo maintainers. The advisory tracks fix availability for the TopMenu plugin.
Workarounds
- Disable the TopMenu plugin until a patched version is deployed
- Deploy a web application firewall rule that blocks HTML and JavaScript metacharacters in TopMenu submission endpoints
- Apply a strict Content Security Policy that disallows inline scripts and restricts script sources to known origins
- Manually sanitize stored menu item fields by stripping HTML tags and validating URL schemes against an allowlist
# Example Content Security Policy header to limit XSS impact
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

