Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
Published: 2026-04-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑User Remote JavaScript Execution leading to Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The YPTSocket plugin in WWBN AVideo versions 29.0 and earlier forwards attacker‑supplied JSON message bodies to all connected clients without any sanitization. Two eval() sinks on the client side—one that evaluates code contained in the JSON field autoEvalCodeOnHTML and another that evaluates the JSON field callback—can be triggered by the data sent through these messages. An attacker can thus broadcast arbitrary JavaScript that is executed in the context of every user currently connected to the WebSocket server, including administrators. This enables universal account takeover, session hijacking, and execution of privileged actions. The vulnerability is effective even for unauthenticated users because tokens minted for anonymous visitors are not revalidated beyond decryption, allowing the attacker to deliver malicious payloads without first authenticating.

Affected Systems

WWBN AVideo, specifically the YPTSocket plugin in releases 29.0 and earlier. The fix was included in commit c08694bf6264eb4decceb78c711baee2609b4efd, which removed the unsanitized eval sinks and added proper validation.

Risk and Exploitability

This weakness corresponds to CWE‑94 code injection and carries a CVSS score of 10, indicating critical severity. The EPSS score is not available, but the lack of an EPSS rating does not diminish the inherent risk presented by the ability to inject and execute code on all connected clients. The vulnerability is not listed in the CISA KEV catalog, yet the attack requires only a WebSocket connection to the vulnerable plugin; an unauthenticated attacker can trigger the exploit without needing elevated privileges or prior knowledge of user credentials. The combination of a high severity rating, the lack of authentication checks, and the widespread use of WebSocket connections makes exploitation highly likely in exposed deployments.

Generated by OpenCVE AI on April 22, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in commit c08694bf6264eb4decceb78c711baee2609b4efd or upgrade to any AVideo version newer than 29.0 in which the YPTSocket plugin sanitizes input and removes the eval sinks.
  • If an immediate upgrade is not feasible, temporarily disable the YPTSocket plugin or block WebSocket traffic to the plugin endpoint from untrusted networks to prevent broadcast of malicious payloads.
  • Review and enforce stricter token validation for anonymous visitors, ensuring that tokens are revalidated on each use or replaced with authenticated session mechanisms, to eliminate the ability for unauthenticated actors to launch the exploit.

Generated by OpenCVE AI on April 22, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
Title WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:22:26.143Z

Reserved: 2026-04-15T16:37:22.768Z

Link: CVE-2026-40911

cve-icon Vulnrichment

Updated: 2026-04-22T13:22:22.013Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T21:16:45.350

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses