Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
Published: 2026-05-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated user with upload permission to submit arbitrary HTML via the message POST parameter to notifySubscribers.json.php. The payload is inserted directly into an email template without sanitization and rendered as HTML, enabling attackers to send phishing links, tracking pixels, or UI spoofing to all subscribers. The emails appear to come from the platform's official address and branding, potentially deceiving up to 10,000 recipients on a single channel.

Affected Systems

WWBN AVideo versions up to and including 29.0 are affected. The issue was resolved in a later commit. Users of these versions on any supported operating systems must review their installation.

Risk and Exploitability

The CVSS score is 6.4, indicating moderate severity. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authentication and upload permissions, so insider access or compromised user credentials are prerequisites. Once satisfied, an attacker can broadcast malicious HTML to thousands of subscribers via the platform‑branded email interface.

Generated by OpenCVE AI on May 11, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch provided in commit 078c4342eb9969a70425a9cdca3eefa7f8a86d53 or upgrade to a version newer than 29.0.
  • Restrict or remove upload permissions for users who do not need to send channel notifications.
  • Implement input validation and HTML escaping for the message field before it is inserted into the email template.

Generated by OpenCVE AI on May 11, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9cm-rxp7-6gv5 AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers
History

Mon, 11 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
Title WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:33:26.198Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43876

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T22:22:11.983

Modified: 2026-05-12T15:13:21.560

Link: CVE-2026-43876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:00:19Z

Weaknesses