CVE-2026-40911
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval() sinks fed directly by those relayed fields (json.msg.autoEvalCodeOnHTML at line 568 and json.callback at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 29.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efdnvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhrnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-gph2-j4c9-vhhrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40911ghsaADVISORY
News mentions
0No linked articles in our index yet.