Home / Vulnerability Intelligence / CVE-2026-34375

CVE-2026-34375 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 30, 2026

WWBN AVideo - Stored XSS

Published: March 27, 2026Updated: March 30, 2026Remote Exploitable

Overview

WWBN AVideo <= 26.0 contains a stored XSS caused by unsanitized echo of the 'plugin' parameter in YPTWallet Stripe payment confirmation page JavaScript block, letting attackers inject scripts to steal user credentials, exploit requires victim to visit crafted URL.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 3.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript to steal user credentials including username and password hash.

Mitigation

Update to a version including commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🟠 CVE-2026-34375 - High (8.2) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. Th... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-34375/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-34375
Severity: High
CVSS Score: 8.2
Type: stored_xss
Status: unconfirmed
EPSS: 3.3%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Score

3.3%Probability of exploitation in the next 30 days