CVE-2026-40911

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description The YPTSocket plugin WebSocket server relays JSON message bodies to all connected clients without sanitizing the msg and callback fields. On the client side, the plugin/YPTSocket/script.js file contains two eval() sinks—functions that execute strings as code—which are fed directly by the json.msg.autoEvalCodeOnHTML and json.callback variables. Since tokens for anonymous visitors are minted and not revalidated after decryption, an unauthenticated attacker can broadcast arbitrary JavaScript. This code executes in the origin of every connected user, including administrators, potentially leading to universal account takeover, session theft, and the execution of privileged actions.

Recommendations Update to the version containing commit c08694bf6264eb4decceb78c711baee2609b4efd.