Cyber Posture

CVE-2026-40911

CriticalPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0029 52.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains…

more

two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation and sanitization of attacker-supplied JSON `msg` and `callback` fields on the WebSocket server before relaying to prevent code injection.

SI-15 Information Output Filtering good match
prevent

Mandates filtering of relayed JSON messages to clients to block malicious content from reaching the client-side `eval()` sinks.

SC-18 Mobile Code good match
prevent

Restricts execution of arbitrary JavaScript mobile code delivered via unsanitized WebSocket broadcasts to connected clients.

Security SummaryAI

CVE-2026-40911 is a critical code injection vulnerability (CWE-94) affecting WWBN AVideo, an open source video platform, in versions 29.0 and prior. The issue resides in the YPTSocket plugin's WebSocket server, which relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, the file `plugin/YPTSocket/script.js` contains two `eval()` sinks directly processing these fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95), enabling arbitrary JavaScript execution within the origin of connected users.

An unauthenticated attacker can exploit this vulnerability due to tokens being minted for anonymous visitors without revalidation beyond decryption. By connecting to the WebSocket server and sending a crafted JSON message, the attacker broadcasts malicious JavaScript that executes immediately in the browsers of all currently connected clients, including administrators. This results in universal account takeover, session theft, and execution of privileged actions across all victims.

Mitigation is provided in commit c08694bf6264eb4decceb78c711baee2609b4efd, which addresses the unsanitized relaying and eval sinks. The GitHub Security Advisory GHSA-gph2-j4c9-vhhr details the issue and recommends updating to the patched version.

Details

CWE(s)
CWE-94

Affected Products

wwbn
avideo
≤ 29.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated exploitation of a public-facing WebSocket server (T1190) to inject and execute arbitrary JavaScript in connected clients' browsers via eval sinks (T1059.007), enabling account takeover and session theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References