CVE-2026-45580: AVideo: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute

Type: Stored cross-site scripting. The Live plugin’s “YouTube-style” view renders the live transmission’s stream key into an HTML class attribute by raw echo, without htmlspecialchars(). A canStream user can persist a key containing " plus an event handler via plugin/Live/saveLive.php, and any visitor (logged in or anonymous) opening the stream’s live page executes attacker JavaScript in the platform origin. File: plugin/Live/view/modeYoutubeLive.php, line 203. Root cause: the template builds a live-status hook by concatenating the database key into a class name: class="title_liveKey_<?php echo $livet['key'] ?>". There is no escaping. The persistence path plugin/Live/saveLive.php:30 accepts $_REQUEST['key'] verbatim into live_transmitions.key (the auto-generation path uses uniqid(), but the manual save path lets the caller override it with anything). The on_publish.php:117 sanitiser strips only & and =, not ", <, or >, so the poisoned value also passes through every internal data flow. The admin-side rendering of the same field is similarly unescaped, so an admin opening the stream details page gets the same XSS in admin context.