CVE-2026-34396

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo admin panel does not properly encode plugin configuration values when rendering them in HTML forms. The jsonToFormElements() function in admin/functions.php directly interpolates user-controlled values into textarea contents, option elements, and input attributes. This allows an attacker who can set a plugin configuration value, potentially through a compromised admin account or by exploiting a Cross-Site Request Forgery (CSRF) issue on the admin/save.json.php endpoint, to inject arbitrary JavaScript code. This code will execute whenever an administrator visits the plugin configuration page. The vulnerability exists due to unsafe output points within the jsonToFormElements() function, specifically in the handling of textarea content, select options, and input types/values. The vulnerability can be exploited through direct manipulation if an admin session is available, or chained with a CSRF attack requiring no authentication. Successful exploitation could allow an attacker to steal admin session cookies, create new admin accounts, modify site configuration, inject persistent JavaScript into public-facing pages, or potentially pivot to server-side code execution. The admin/save.json.php API endpoint is involved in saving configuration values without CSRF validation.

Recommendations Apply htmlspecialchars($value, ENT QUOTES, 'UTF-8') to all user-controlled values rendered in admin/functions.php: