CVE-2026-43874

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description An unauthenticated attacker can execute arbitrary JavaScript in the browser session of any logged-in user. The issue stems from an incomplete server-side mitigation for an eval sink. While the system attempts to strip the autoEvalCodeOnHTML payload, it only does so when located under the $json['msg'] variable. However, the msgToResourceId() function prioritizes the $msg['json'] variable for outbound messages, allowing the payload to bypass the strip branch if nested under a top-level json field.

An attacker can obtain a WebSocket token from the 'plugin/YPTSocket/getWebSocket.json.php' endpoint, connect to the WebSocket server, and send a crafted message targeting a specific user via the to users id variable. The payload is delivered verbatim to the victim, where the client-side script executes it using the eval() function. This can lead to session data exfiltration or privilege escalation if an administrator is targeted.

Recommendations Update to a version containing commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce. As a temporary workaround, restrict access to the 'plugin/YPTSocket/getWebSocket.json.php' endpoint to minimize the risk of unauthenticated attackers obtaining WebSocket tokens.