CVE-2026-43874

HIGH 7.2

WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass

CVSS Score

7.2

EPSS Score

0.1%

EPSS Percentile

17th

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.

CWE	CWE-94
Vendor	wwbn
Product	avideo
Published	May 11, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for wwbn avideo

Be the first to know when new high vulnerabilities affecting wwbn avideo are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

WWBN / AVideo

<= 29.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/WWBN/AVideo/security/advisories/GHSA-ghcv-22jf-vfxm github.com: https://github.com/WWBN/AVideo/commit/9f3006f9a89a34daa67a83c6ad35f450cb91fcce