Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars() or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricted to admin users, AVideo's SameSite=None cookie configuration allows cross-origin exploitation, meaning an attacker can lure an admin to a malicious link that executes JavaScript in their authenticated session. At time of publication, there are no publicly available patches.

INFO

Published Date :

2026-03-31T20:56:16.167Z

Last Modified :

2026-04-01T13:38:13.352Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34739 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34739.

URL Resource
https://github.com/WWBN/AVideo/security/advisories/GHSA-jqrj-chh6-8h78 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact