CRITICAL🇵🇱 Wersja polska

CVE-2026-40911

CVSS 10.0v3.1pub. 2026-04-21upd. 2026-04-27

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

🤖 AI Analysis
How it works

The WebSocket server of the YPTSocket plugin passes JSON message bodies supplied by the attacker to all connected clients without any sanitization of the `msg` and `callback` fields. On the client side, the `plugin/YPTSocket/script.js` script passes these fields directly to two `eval()` calls (lines 568 and 95), which causes the supplied JavaScript code to be executed in the recipient's browser context. Access tokens are issued to anonymous users and are not re-verified beyond their decryption, meaning that an attacker without any credentials can broadcast a malicious payload to all active sessions.

Impact

An attacker can take over accounts of all currently logged-in users (including administrators), steal session tokens, and perform privileged operations on their behalf — leading to complete platform compromise.

Mitigation & patch

Apply the fix contained in commit c08694bf6264eb4decceb78c711baee2609b4efd available in the WWBN/AVideo GitHub repository. Until the update is applied, consider disabling the YPTSocket plugin or restricting access to the WebSocket server at the firewall level.

Who is affected

WWBN AVideo version 29.0 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Wwbn Avideo

    APP
    Wwbn
    ≤ 29.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2026-41064CRITICAL9.3PL ✓ten sam produkt

WWBN AVideo — niekompletna naprawa command injection w test.php

CVE-2026-34374CRITICAL9.1PL ✓ten sam produkt

SQL Injection w WWBN AVideo — mechanizm uwierzytelniania RTMP

CVE-2026-33867CRITICAL9.1PL ✓ten sam produkt

WWBN AVideo: hasła do filmów przechowywane w bazie jako plaintext

CVE-2026-33351CRITICAL9.1PL ✓ten sam produkt

SSRF w WWBN AVideo — brak walidacji parametru URL w saveDVR.json.php

CVE-2026-33478CRITICAL10.0PL ✓ten sam produkt

RCE bez uwierzytelnienia w WWBN AVideo — łańcuch podatności w pluginie CloneSite