CVE-2026-34716

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo YPTSocket plugin's caller feature in versions 26.0 and prior renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML and inserts it into the DOM via jQuery's .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to a cross-site scripting (XSS) payload and trigger code execution on any online user's browser simply by initiating a call. No victim interaction is required beyond being connected to the WebSocket.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.