CVE-2026-34375

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The YPTWallet Stripe payment confirmation page directly outputs the $ REQUEST['plugin'] parameter into a JavaScript block without proper encoding or sanitization. The plugin parameter is not included in the framework's input filter lists, allowing an attacker to inject arbitrary JavaScript by crafting a malicious URL and sending it to a victim user. Successful exploitation of this cross-site scripting (XSS) issue can lead to the exfiltration of the current user's username and password hash via the User::getUserName() and User::getUserPass() functions.

Recommendations Versions up to and including 26.0 should be updated to a version that includes the fix from commit fa0bc102493a15d79fe03f86c07ab7ca1b5b63e2.