CVE-2026-34375HIGH 8.2EPSS p21.0%

CVE-2026-34375CVE-2026-34375

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the `$_REQUEST['plugin']` parameter into a JavaScript block without any encoding or sanitization. The `plugin` parameter is not included in any of the framework's input filter lists defined in `security.php`, so it passes through completely raw. An attacker can inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. The same script block also outputs the current user's username and password hash via `User::getUserName()` and `User::getUserPass()`, meaning a successful XSS exploitation can immediately exfiltrate these credentials. Commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2 fixes the issue.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS0.30% probability of exploitation · percentile 21.0% · 2026-06-19T12:03:05Z
Published2026-03-27
Last modified2026-03-31

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/WWBN/AVideo/commit/fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2
  2. https://github.com/WWBN/AVideo/security/advisories/GHSA-pm37-62g7-p768

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47696
CVE
CVE-2026-34394
CVE
CVE-2026-40911
CVE
CVE-2026-45580
CVE
CVE-2026-33507
CVE
CVE-2026-33351
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.