#VU125491 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in AVideo - CVE-2026-34716
Published: April 8, 2026
Vulnerability identifier: #VU125491
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-34716
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to execute arbitrary script code in the victim's browser.
The vulnerability exists due to cross-site scripting in the YPTSocket caller notification handling in plugin/YPTSocket/caller.js when processing forged WebSocket call messages. A remote user can send a specially crafted WebSocket call message with a malicious from_identification value to execute arbitrary script code in the victim's browser.
The issue is triggered without user interaction when the victim is online and connected to the WebSocket, and exploitation requires a custom WebSocket client because the normal UI sanitizes display names.
Remediation
Install security update from vendor's website.