CVE-2026-56347

AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields

CVSS 5.3 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

20 jun 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Productos afectados

WWBN · AVideo

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq https://www.vulncheck.com/advisories/avideo-topmenu-plugin-stored-cross-site-scripting-via-unescaped-menu-item-fields