Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 29.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efdPatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhrExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhrExploitVendor Advisory
FAQ
What is CVE-2026-40911?
CVE-2026-40911 is a vulnerability with a CVSS score of 10.0 (CRITICAL). WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitiz...
How severe is CVE-2026-40911?
CVE-2026-40911 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-40911?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.