Home / Vulnerability Intelligence / CVE-2026-34375

CVE-2026-34375 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 27, 2026

WWBN AVideo - Stored XSS

Published: March 27, 2026Updated: March 27, 2026Remote Exploitable

Overview

WWBN AVideo <= 26.0 contains a stored XSS caused by unsanitized echo of the 'plugin' parameter in YPTWallet Stripe payment confirmation page JavaScript block, letting attackers inject scripts to steal user credentials, exploit requires victim to visit crafted URL.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can execute arbitrary JavaScript to steal user credentials including username and password hash.

Mitigation

Update to a version including commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 or later.

References

https://github.com/WWBN/AVideo/commit/fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2
https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-34375
Severity: High
CVSS Score: 8.2
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N