CVE-2026-45580

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description A stored cross-site scripting issue exists in the Live plugin's "YouTube-style" view. The application renders the live transmission's stream key into an HTML class attribute using a raw echo without proper escaping. A user with canStream permissions can persist a malicious key containing an event handler via the 'plugin/Live/saveLive.php' endpoint. When any visitor, including anonymous users or administrators, opens the affected stream's live page, the attacker's JavaScript executes within the platform's origin. This can allow the attacker to steal session cookies, read DOM content, or perform unauthorized actions if the victim is an administrator.

Recommendations Update AVideo to a version later than 29.0. As a temporary mitigation, restrict the canStream permission to trusted users only to prevent the persistence of malicious stream keys. Restrict access to the 'plugin/Live/saveLive.php' endpoint to minimize the risk of exploitation.