CVE-2026-56347 | AVideo TopMenu plugin through version 26.0 contains a stored… | CVSS 6.1 MEDIUM

Description

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

Metadata

CVE ID: CVE-2026-56347
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 18:13 UTC
Published: 2026-06-20 18:27 UTC
Last updated: 2026-06-20 18:27 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: WWBN / AVideo
Sources: cve.org · NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products (1)

Vendor	Product	Platform	Versions
WWBN	AVideo	—	0 ≤ 26.0

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.1	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (2)

GHSA Advisory GHSA-gmpc-fxg2-vcmq https://github.com/WWBN/AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq
VulnCheck Advisory: AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields https://www.vulncheck.com/advisories/avideo-topmenu-plugin-stored-cross-site-scripting-via-unescaped-menu-item-fields