CVE-2026-43876

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description An issue exists where the endpoint "/objects/notifySubscribers.json.php" accepts a raw message POST parameter and passes it to the sendSiteEmail() function. This function substitutes the input directly into an HTML email template via str replace on the {message} placeholder and renders it using PHPMailer::msgHTML() without any HTML sanitization, character escaping, or output encoding.

Authenticated users with upload permissions can broadcast arbitrary HTML, such as phishing links, tracking pixels, and CSS/UI spoofing, to up to 10,000 subscribers per invocation. Because the emails are sent from the platform's configured contact address and include the official logo and title, the communications appear official. Additionally, the createEmailMessageFromTemplate() function contains a check that allows any payload containing an <html> tag to bypass the template entirely and be sent as-is.

Recommendations Update to a version where the message parameter is sanitized or encoded before reaching PHPMailer::msgHTML(). As a temporary workaround, restrict access to the "/objects/notifySubscribers.json.php" endpoint or disable the ability for non-administrative users to notify subscribers until a patch is applied.