Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.
Published: 2026-05-11
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incomplete mitigation in WWBN AVideo versions up to 29.0 allows an attacker who can obtain a WebSocket token to inject malicious JavaScript via the autoEvalCodeOnHTML sink. The token is retrieved from an unauthenticated plugin endpoint, enabling a WebSocket connection that transmits a message containing the code under a top‑level json field. Because the server skips the stripping logic for the $msg['json'] payload, the code is forwarded unchanged to any logged‑in user identified by to_users_id, and the client evaluates it, giving the attacker code execution on the victim’s browser. This constitutes a execution of arbitrary payload (CWE‑94).

Affected Systems

WWBN AVideo, all releases through version 29.0 inclusive. Any instance deploying the YPTSocket plugin and not patched is vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while EPSS data is not provided, leaving the current exploitation probability uncertain. The vulnerability is not in the CISA KEV catalog, but the combination of an unauthenticated WebSocket token and a sink that executes client‑side JavaScript points to a realistic attack path for malicious actors who can target active AVideo installations.

Generated by OpenCVE AI on May 11, 2026 at 22:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce or upgrade to a release newer than 29.0
  • Disable the YPTSocket plugin or restrict access to the /plugin/YPTSocket/getWebSocket.json.php endpoint until the fix is deployed
  • Implement input validation or filtering for the autoEvalCodeOnHTML sink if configuration changes are not possible, ensuring the payload is sanitized before reaching the eval context

Generated by OpenCVE AI on May 11, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ghcv-22jf-vfxm AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.
Title WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T13:24:03.400Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43874

cve-icon Vulnrichment

Updated: 2026-05-12T13:23:50.645Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T21:19:02.120

Modified: 2026-05-12T14:50:18.527

Link: CVE-2026-43874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T22:45:36Z

Weaknesses