PatchSiren cyber security CVE debrief
CVE-2026-60092 AVideo CVE debrief
AVideo Meet plugin vulnerability CVE-2026-60092. Stored cross-site scripting via unescaped User-Agent in participants panel. The issue was unpatched at the time of the report. The vulnerability allows an anonymous attacker to join public meetings with a malicious User-Agent header, leading to XSS attacks on meeting hosts or site administrators. This CVE was published on 2026-07-08T14:17:22.370Z and was last modified on 2026-07-10T18:22:49.657Z. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 is affected.
- Vendor
- AVideo
- Product
- Unknown
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of AVideo Meet plugin, particularly those hosting public meetings, should be aware of this vulnerability. Site administrators and meeting hosts are at risk of XSS attacks. They should verify their plugin version and apply patches or updates if available.
Technical summary
The AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability. When a participant joins a public meeting, the raw HTTP User-Agent header is stored without sanitization and later echoed without output encoding in the Participants management panel. An anonymous attacker can join any public meeting with a User-Agent header containing an HTML/JavaScript payload, which executes in the privileged browser session of the meeting host or site administrator when they open the participant list.
Defensive priority
Medium priority due to the CVSS score of 5.1 and the potential for XSS attacks.
Recommended defensive actions
- Inventory and verify AVideo Meet plugin version
- Apply patches or updates if available
- Implement compensating controls such as web application firewalls
- Monitor for suspicious activity
- Educate users on secure practices
- Review and update incident response plans
- Conduct vulnerability scanning and penetration testing
Evidence notes
The CVE record was published on 2026-07-08T14:17:22.370Z and was last modified on 2026-07-10T18:22:49.657Z. The NVD entry is currently Deferred. The vulnerability affects AVideo Meet plugin through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8. Evidence is limited to public CVE and NVD information.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T14:17:22.370Z and has not been modified since then. The NVD entry is currently Deferred.