WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
Description
AVideo's MessageSQLite handler has a stored XSS vulnerability due to incomplete sanitization of the autoEvalCodeOnHTML parameter, allowing attackers to inject malicious code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AVideo's MessageSQLite handler has a stored XSS vulnerability due to incomplete sanitization of the `autoEvalCodeOnHTML` parameter, allowing attackers to inject malicious code.
Vulnerability
AVideo versions up to and including 29.0 [1] and 14.3 [2] are affected by a stored XSS vulnerability in the MessageSQLite.php WebSocket handler. The sanitization logic for the autoEvalCodeOnHTML parameter was incomplete, only targeting the $json['msg'] field while neglecting the $msg['json'] field, which is processed with higher priority by the msgToResourceId() function.
Exploitation
An attacker can exploit this vulnerability by sending a WebSocket message containing an XSS payload within the json key, rather than the msg key. This bypasses the shallow sanitization applied only to $json['msg']. The msgToResourceId() function then processes the unsanitized $msg['json'], delivering the payload to the victim's WebSocket client for evaluation.
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to session hijacking, information disclosure, or other malicious actions, depending on the privileges of the targeted user.
Mitigation
AVideo has released a fix for this vulnerability. The commit 3e0b3ce2bfa766183ff0ae227439394db57b1a23 [3] refactors the security by recursively removing autoEvalCodeOnHTML from all nested paths, addressing the bypass. Users are advised to update to a patched version. Specific patched version numbers are not explicitly detailed in the provided references, but the fix is available in the repository.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
13e0b3ce2bfa7Refactor: Enhance security by recursively removing auto-eval code from messages
1 file changed · +16 −3
plugin/YPTSocket/MessageSQLite.php+16 −3 modified@@ -265,10 +265,9 @@ public function onMessage(ConnectionInterface $from, $msg) { $this->msgToArray($json); //_log_message("onMessage:msgObj: " . json_encode($json)); // Strip eval-able fields from browser/guest messages. + // Remove from all nested paths so msgToResourceId cannot relay it via msg/json/fallback. if (empty($msgObj->isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') { - if (is_array($json['msg'] ?? null)) { - unset($json['msg']['autoEvalCodeOnHTML']); - } + $this->removeAutoEvalCodeOnHTMLRecursive($json); if (isset($json['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', (string)$json['callback'])) { unset($json['callback']); } @@ -286,6 +285,20 @@ public function onMessage(ConnectionInterface $from, $msg) { } } + private function removeAutoEvalCodeOnHTMLRecursive(&$data) { + if (!is_array($data)) { + return; + } + if (array_key_exists('autoEvalCodeOnHTML', $data)) { + unset($data['autoEvalCodeOnHTML']); + } + foreach ($data as &$value) { + if (is_array($value)) { + $this->removeAutoEvalCodeOnHTMLRecursive($value); + } + } + } + private function shouldPropagateInfo($row) { global $_shouldPropagateInfoLastMessage; if (!empty($row['yptDeviceId']) && preg_match('/^unknowDevice.*/', $row['yptDeviceId'])) {
Vulnerability mechanics
Root cause
"The MessageSQLite.php handler only strips `autoEvalCodeOnHTML` from the `$json['msg']` key, but not from the `$msg['json']` key which is processed with higher priority."
Attack vector
An attacker sends a WebSocket message containing an XSS payload within the `json` key, rather than the `msg` key. The sanitization logic in `MessageSQLite.php` at lines 268-271 only targets `$json['msg']` and leaves `$msg['json']` untouched [ref_id=1]. Subsequently, the `msgToResourceId()` function reads from `$msg['json']` at line 361, bypassing the sanitization and delivering the payload to the victim's WebSocket client for evaluation [ref_id=1].
Affected code
The vulnerability resides in `plugin/YPTSocket/MessageSQLite.php`. Specifically, lines 268-271 contain the incomplete sanitization logic, while lines 361-367 demonstrate how `msgToResourceId()` bypasses this by prioritizing the `$msg['json']` field [ref_id=1]. The fix involves adding a call to `removeAutoEvalCodeOnHTMLRecursive()` within the message handling logic [patch_id=4828896].
What the fix does
The patch modifies `plugin/YPTSocket/MessageSQLite.php` to call `removeAutoEvalCodeOnHTMLRecursive($json)` instead of only attempting to unset `autoEvalCodeOnHTML` from `$json['msg']` [patch_id=4828896]. This ensures that the `autoEvalCodeOnHTML` field is recursively removed from all nested paths within the message data, preventing the bypass through the `$msg['json']` key.
Preconditions
- authThe attacker must be authenticated.
- networkThe attacker must be able to send WebSocket messages to the AVideo server.
Reproduction
// Connect to AVideo WebSocket as authenticated user const ws = new WebSocket('wss://TARGET/plugin/YPTSocket/server.php?token=USER_TOKEN');
ws.onopen = () => { ws.send(JSON.stringify({ msg: "Hello", // sanitized path — decoy json: {autoEvalCodeOnHTML: "alert('XSS')"}, // unsanitized path — payload to_users_id: VICTIM_USER_ID, resourceId: RESOURCE_ID })); }; // Victim's client evaluates alert('XSS') via autoEvalCodeOnHTML mechanism
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.