Common Xss Vulnerabilities in Video Conferencing Apps: Causes and Fixes

The common thread is trusting data that originates from participants and then reflecting it into the DOM or a server‑generated page without proper encoding, validation, or CSP enforcement.

June 18, 2026 · 6 min read · Common Issues

1. What causes XSS vulnerabilities in video‑conferencing apps

Root causeWhy it appears in a conferencing product
Unsanitized user‑generated contentChat messages, display names, file‑share comments, and poll options are stored and later rendered as HTML/JS in the meeting UI. If the server trusts this data and injects it directly into the DOM, an attacker can embed . The UI builds the participant tile with innerHTML, leaking session cookies.
  • Poll option XSS – A poll creator adds an option containing . When the poll is displayed, the SVG loads and the payload executes, harvesting WebRTC keys.
  • Screen‑share thumbnail hijack – The server returns a JSON payload with thumbnailUrl":"data:image/svg+xml,". The client injects the URL directly into an tag, triggering the script.
  • Link preview abuse – Participants paste a meeting link in the chat. The preview generator fetches the URL and injects the og:title into the DOM without sanitization, allowing an attacker to embed