CVE Catalog

CVE-2026-56347

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

6th percentile — higher than 6% of all known CVEs

Summary

The AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting (XSS) vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields, potentially stealing session cookies or performing unauthorized actions.

Risk Assessment

This vulnerability poses a risk to all site visitors, as it may lead to session data theft and unauthorized access to user accounts.

Recommendation

It is recommended to update the AVideo TopMenu plugin to the latest version to mitigate this vulnerability and implement proper output encoding mechanisms for all data displayed on the site.

Original NVD description (English source)

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site visitors, potentially stealing session cookies or performing unauthorized actions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS