CVE-2026-34716 - Vulnerability Analysis
MediumCVSS: 6.4Last Updated: April 1, 2026
WWBN AVideo - Stored XSS
Published: March 31, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 26.0 contains a stored XSS caused by unsanitized caller display name rendered via jQuery Toast Plugin in YPTSocket plugin, letting attackers execute scripts on online users' browsers via calls, exploit requires victim to be connected to WebSocket.
Severity & Score
Severity: Medium
CVSS Score: 6.4
Impact
Attackers can execute arbitrary scripts in online users' browsers, potentially stealing data or performing actions on their behalf.
Mitigation
Update to the latest version when patches become available or apply input sanitization to caller display names.
Related Resources
Details
- CVE ID
- CVE-2026-34716
- Severity
- Medium
- CVSS Score
- 6.4
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N