CVE-2026-34739

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description AVideo is an open source video platform. Versions 26.0 and earlier have a reflected cross-site scripting (XSS) issue in the User Location plugin’s testIP.php page. The ip request parameter is directly included in an HTML input element without proper output encoding. This allows an attacker to inject arbitrary HTML and JavaScript through a specially crafted URL. While the page is limited to administrator users, the SameSite=None cookie configuration enables cross-origin exploitation. An attacker can trick an administrator into clicking a malicious link, which then executes JavaScript within their authenticated session. The vulnerable parameter is ip.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.