CVE-2026-60092 Overview
CVE-2026-60092 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in the AVideo Meet plugin. The flaw affects the getMeetInfo.json.php endpoint through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8. When a participant joins a public meeting, the raw HTTP User-Agent header is stored in meet_join_log.user_agent without sanitization. AVideo's setter-level xss_esc() layer is bypassed, and the value is later echoed in the Participants management panel without htmlspecialchars(). An unauthenticated attacker can persist a JavaScript payload that executes in the browser session of the meeting host or a site administrator.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in privileged host and administrator sessions by supplying a malicious User-Agent header when joining a public meeting.
Affected Products
- AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8
- AVideo getMeetInfo.json.php endpoint
- AVideo Participants management panel accessible to hosts and administrators
Discovery Timeline
- 2026-07-08 - CVE-2026-60092 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-60092
Vulnerability Analysis
The vulnerability originates in the join workflow of the AVideo Meet plugin. When an anonymous user connects to a public meeting through getMeetInfo.json.php, the plugin logs the participant's connection metadata into the meet_join_log table. The user_agent column receives the raw value from the HTTP User-Agent header without passing through the framework's setter-level xss_esc() sanitization layer.
The Participants management panel later reads this stored value and renders it directly to the HTML response without applying htmlspecialchars() or an equivalent output encoding. This creates a persistent XSS sink in a privileged administrative view. When a meeting host or site administrator opens the participant list, injected HTML and JavaScript execute in their authenticated browser context. The impact includes session token theft, forced administrative actions, and pivoting to full site takeover through administrator-only endpoints.
Root Cause
The root cause is dual-layer sanitization failure. The input path skips the xss_esc() setter used elsewhere in AVideo, and the output path omits htmlspecialchars() encoding when rendering participant records. Neither the storage layer nor the presentation layer neutralizes HTML control characters.
Attack Vector
Exploitation requires only network access to a public meeting URL. The attacker issues a join request with a crafted User-Agent header containing an HTML or JavaScript payload. No authentication, prior account, or user interaction from the attacker side is needed. Execution triggers when a privileged user views the Participants panel.
// Related change from the AVideo security patch commit (objects/user.php)
// Source: https://github.com/WWBN/AVideo/commit/e8d6119f3cb1b849149906efeb0a41fc024f59f8
if (class_exists('AVideoPlugin') && $obj = AVideoPlugin::getDataObjectIfEnabled("LoginControl")) {
if (!empty($obj->singleDeviceLogin)) {
if (isAVideoEncoder()) {
_error_log('[SESSION_DEBUG] recreateLoginFromCookie: skip singleDeviceLogin check for encoder request script=' . ($_SERVER['SCRIPT_NAME'] ?? '') . ' ip=' . getRealIpAddr());
} elseif (!LoginControl::isLoggedFromSameDevice()) {
self::logoff();
return false;
}
}
}
Source: GitHub AVideo Commit
Detection Methods for CVE-2026-60092
Indicators of Compromise
- Rows in meet_join_log.user_agent containing HTML tags such as <script>, <img, <svg, or event handlers like onerror= and onload=.
- Web server access logs showing requests to getMeetInfo.json.php with non-standard User-Agent headers containing angle brackets or JavaScript keywords.
- Unexpected outbound requests from administrator browsers shortly after opening the Participants panel.
Detection Strategies
- Query the meet_join_log table for user_agent values matching regular expressions that detect HTML or JavaScript syntax.
- Deploy a Web Application Firewall (WAF) rule inspecting User-Agent headers destined for the Meet plugin endpoints and blocking payloads containing HTML control characters.
- Monitor browser Content Security Policy (CSP) violation reports from administrator sessions accessing the Participants panel.
Monitoring Recommendations
- Alert on administrative session anomalies such as unexpected password resets, new user creations, or plugin configuration changes following participant list access.
- Log and review all HTTP requests to getMeetInfo.json.php, correlating source IP addresses with abnormal User-Agent header patterns.
- Track access frequency to the Participants management panel and cross-reference with suspicious join activity on public meetings.
How to Mitigate CVE-2026-60092
Immediate Actions Required
- Restrict access to public meetings until a patched build is deployed, or disable the Meet plugin if it is not business critical.
- Purge existing meet_join_log entries after auditing them for injected payloads to prevent triggering when administrators open the panel.
- Enforce a strict Content Security Policy that disallows inline script execution in the AVideo administrative interface.
Patch Information
The issue was unpatched at the time of the report. Track the upstream fix through the GitHub Security Advisory GHSA-7cqp-7cfv-6c3q and the VulnCheck AVideo XSS Advisory. Apply the vendor patch as soon as it is released and audit any customized forks of the Meet plugin.
Workarounds
- Add a server-side filter that rejects or sanitizes User-Agent headers containing angle brackets or JavaScript keywords before they reach getMeetInfo.json.php.
- Wrap participant rendering in the Participants management panel with an explicit htmlspecialchars($value, ENT_QUOTES, 'UTF-8') call in a local patch.
- Require authentication for meeting joins by disabling public, unauthenticated meeting access until the vendor fix ships.
# Example ModSecurity rule to block HTML/JS in User-Agent for the vulnerable endpoint
SecRule REQUEST_URI "@contains /plugin/Meet/getMeetInfo.json.php" \
"chain,phase:1,deny,status:403,id:1060092,\
msg:'CVE-2026-60092 AVideo Meet XSS via User-Agent'"
SecRule REQUEST_HEADERS:User-Agent "@rx (?i)(<script|onerror=|onload=|javascript:|<svg|<img)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

