CVE-2026-56347 | THREATINT

Description

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

PUBLISHED Reserved 2026-06-20 | Published 2026-06-20 | Updated 2026-06-20 | Assigner VulnCheck

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

Any version

affected

Credits

adrgs reporter

aisafe-bot finder

References

github.com/...AVideo/security/advisories/GHSA-gmpc-fxg2-vcmq (GHSA Advisory GHSA-gmpc-fxg2-vcmq) vendor-advisory

www.vulncheck.com/...cripting-via-unescaped-menu-item-fields (VulnCheck Advisory: AVideo TopMenu Plugin - Stored Cross-Site Scripting via Unescaped Menu Item Fields) third-party-advisory

cve.org (CVE-2026-56347)

nvd.nist.gov (CVE-2026-56347)

Download JSON