CVE-2026-34716: AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification

April 1, 2026

The AVideo YPTSocket plugin’s caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller’s display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML ('<h2>' + heading + '</h2>') and inserts it into the DOM via jQuery’s .html() method, which parses and executes any embedded HTML or script content. An attacker can set their display name to an XSS payload and trigger code execution on any online user’s browser simply by initiating a call - no victim interaction is required beyond being connected to the WebSocket.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-w4hp-w536-jg64
github.com/advisories/GHSA-w4hp-w536-jg64
nvd.nist.gov/vuln/detail/CVE-2026-34716

Code Behaviors & Features

Detect and mitigate CVE-2026-34716 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →