CVE-2026-45580 WWBN CVE debrief

Who should care

Organizations operating public or private AVideo instances with live streaming enabled; security teams managing user-generated content platforms; developers maintaining AVideo deployments with the Live plugin active.

Technical summary

The vulnerability stems from insufficient output encoding when rendering the streamKey parameter in the Live plugin's view template. The raw echo into an HTML class attribute allows injection of arbitrary attributes and JavaScript event handlers. Attackers with stream creation capabilities can achieve persistent code execution affecting all viewers of the compromised stream. The attack requires low privileges (canStream) and user interaction (viewing the stream), with changed scope indicating impact beyond the vulnerable component.

Defensive priority

medium

Recommended defensive actions

• Apply vendor-supplied patches for AVideo when available, prioritizing updates beyond version 29.0
• Review and restrict canStream privileges to trusted users only as an interim mitigation
• Implement Content Security Policy (CSP) headers to mitigate impact of XSS payloads
• Audit existing live streams for suspicious stream keys containing HTML metacharacters or event handler patterns
• Enable HTTP-only and secure cookie flags to reduce session hijacking risk from potential XSS exploitation
• Monitor web application logs for unusual saveLive.php requests containing encoded quote characters or script fragments

Evidence notes

The vulnerability description indicates the flaw exists in AVideo 29.0 and earlier. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) yields a base score of 5.4 (MEDIUM). The weakness is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The source reference points to a GitHub Security Advisory. No KEV listing or known ransomware campaign use is indicated.

Official resources