CVE-2026-43878: Video: Reflected XSS in plugin/Meet/iframe.php via Unescaped user and pass Parameters in JavaScript String Literal

May 5, 2026

plugin/Meet/iframe.php echoes the attacker-controlled user and pass query parameters unescaped into a JavaScript double-quoted string literal inside a <script> block. An attacker who sends a victim to a crafted URL can break out of the string and execute arbitrary JavaScript in the victim’s browser in the context of the AVideo origin. No authentication is required if a public Meet schedule exists on the target.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/3298ced2bcf92e4f3acff6ce9bde14edf42ecb5b
github.com/WWBN/AVideo/security/advisories/GHSA-mm5f-8q57-4fc4
github.com/advisories/GHSA-mm5f-8q57-4fc4
nvd.nist.gov/vuln/detail/CVE-2026-43878

Code Behaviors & Features

Detect and mitigate CVE-2026-43878 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →