CVE-2026-60092 in AVideoinfo

Summary

by MITRE • 07/08/2026

AVideo (Meet plugin) through commit e8d6119f3cb1b849149906efeb0a41fc024f59f8 contains a stored cross-site scripting vulnerability in the Meet plugin's getMeetInfo.json.php endpoint. When a participant joins a public meeting, the raw HTTP User-Agent header is stored (meet_join_log.user_agent) without sanitization (bypassing AVideo's setter-level xss_esc() layer) and later echoed without output encoding (no htmlspecialchars()) in the Participants management panel, which is accessible to the meeting host and site administrators. An anonymous, unauthenticated attacker can join any public meeting while supplying a User-Agent header containing an HTML/JavaScript payload; the payload is persisted and executes in the privileged, authenticated browser session of the meeting host or a site administrator when they open the participant list. The issue was unpatched at the time of the report.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

This vulnerability represents a critical stored cross-site scripting flaw within the AVideo Meet plugin ecosystem that exploits improper input sanitization and output encoding practices. The vulnerability exists in the getMeetInfo.json.php endpoint where user-supplied data from HTTP headers is processed without adequate security measures, creating a persistent threat vector that can compromise high-privilege users. The specific technical flaw occurs at the data handling layer where the User-Agent header value is stored directly into the meet_join_log.user_agent database field without sanitization, bypassing AVideo's built-in xss_esc() protection mechanisms that are intended to prevent such attacks. This represents a clear violation of secure coding principles and falls under CWE-79 - Cross-site Scripting, specifically categorized as a stored XSS vulnerability where malicious payloads persist in the application's data store.

The operational impact of this vulnerability is severe as it enables attackers to execute arbitrary JavaScript code within the authenticated sessions of meeting hosts and site administrators. When an anonymous attacker joins a public meeting and submits a malicious User-Agent header containing HTML/JavaScript payload, that payload becomes permanently stored in the database and subsequently rendered without proper output encoding when the privileged users view the participant management panel. This creates a privilege escalation scenario where unauthenticated attackers can potentially gain full administrative control over meetings and systems, as the executing context operates with elevated privileges of the meeting host or administrator. The vulnerability is particularly dangerous because it leverages the trust relationship between legitimate users and the application interface, making detection difficult and exploitation straightforward.

The attack vector requires minimal prerequisites as it only needs an attacker to join any public meeting and supply a malicious User-Agent header value, making this vulnerability highly exploitable in environments where public meetings are enabled. The lack of authentication requirements for triggering the vulnerability means that even unauthenticated attackers can establish persistent threats against legitimate users with elevated privileges. This aligns with ATT&CK technique T1531 - Account Access Removal and T1078 - Valid Accounts, as compromised privileged sessions can be leveraged to maintain access or escalate privileges within the system. The absence of patching at the time of reporting indicates a significant security gap in the application's vulnerability management process, leaving users exposed to potential exploitation for extended periods.

Mitigation strategies should focus on implementing proper input sanitization at multiple layers including immediate validation and encoding of user-supplied data before storage, and ensuring output encoding is applied when rendering stored values. The system architecture requires strengthening of the xss_esc() layer to prevent bypasses and implementation of Content Security Policy headers to limit the execution scope of any successful XSS payloads. Administrators should consider disabling public meeting features if not essential, implementing additional monitoring for unusual User-Agent patterns, and conducting regular security audits of data handling processes within the application's core components. The vulnerability demonstrates critical importance of defense-in-depth approaches where multiple security controls work together to prevent exploitation even when individual layers fail.

Responsible

VulnCheck

Reservation

07/08/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!