CVE-2026-60092

Source
https://cve.org/CVERecord?id=CVE-2026-60092
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60092.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-60092
Aliases
Published
2026-07-08T13:51:30.509Z
Modified
2026-07-16T03:31:03.975617236Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
AVideo - Stored Cross-Site Scripting via Unescaped User-Agent in Participants Panel
Details

AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored (meetjoinlog.useragent) without sanitization (bypassing AVideo's setter-level xssesc() layer) and later echoed without output encoding (no htmlspecialchars()) in the Participants management panel, which is accessible to the meeting host and site administrators. An anonymous, unauthenticated attacker can join any public meeting while supplying a User-Agent header containing an HTML/JavaScript payload; the payload is persisted and executes in the privileged, authenticated browser session of the meeting host or a site administrator when they open the participant list. The issue was unpatched at the time of the report.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/60xxx/CVE-2026-60092.json",
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type
GIT
Repo
https://github.com/wwbn/avideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

10.*
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
18.*
18.0
2.*
2.2
2.7
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0
29.*
29.0
3.*
3.4
4.*
4.0
7.*
7.2
7.3
7.4
7.6
7.7
7.8
8.*
8.1
8.5
8.6
8.7
8.9
8.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60092.json"