{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40911", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.768Z", "datePublished": "2026-04-21T19:55:37.195Z", "dateUpdated": "2026-04-22T13:22:26.143Z"}, "containers": {"cna": {"title": "WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr"}, {"name": "https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:55:37.195Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix."}], "source": {"advisory": "GHSA-gph2-j4c9-vhhr", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:21:59.998968Z", "id": "CVE-2026-40911", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:22:26.143Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40911", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.768Z", "datePublished": "2026-04-21T19:55:37.195Z", "dateUpdated": "2026-04-22T13:22:26.143Z"}, "containers": {"cna": {"title": "WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr"}, {"name": "https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T19:55:37.195Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix."}], "source": {"advisory": "GHSA-gph2-j4c9-vhhr", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40911", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:21:59.998968Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:22:22.013Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA", "versionEndIncluding": "29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix."}], "id": "CVE-2026-40911", "lastModified": "2026-04-27T15:12:57.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:45.350", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T05:24:17.051786+00:00", "value": {"mitigation_remediation": ["Apply the patch referenced in commit c08694bf6264eb4decceb78c711baee2609b4efd or upgrade to any AVideo version newer than 29.0 in which the YPTSocket plugin sanitizes input and removes the eval sinks.", "If an immediate upgrade is not feasible, temporarily disable the YPTSocket plugin or block WebSocket traffic to the plugin endpoint from untrusted networks to prevent broadcast of malicious payloads.", "Review and enforce stricter token validation for anonymous visitors, ensuring that tokens are revalidated on each use or replaced with authenticated session mechanisms, to eliminate the ability for unauthenticated actors to launch the exploit."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011User Remote JavaScript Execution leading to Account Takeover"}, "threat_synthesis": {"affected_systems": "WWBN AVideo, specifically the YPTSocket plugin in releases 29.0 and earlier. The fix was included in commit c08694bf6264eb4decceb78c711baee2609b4efd, which removed the unsanitized eval sinks and added proper validation.", "description_and_impact": "The YPTSocket plugin in WWBN AVideo versions 29.0 and earlier forwards attacker\u2011supplied JSON message bodies to all connected clients without any sanitization. Two eval() sinks on the client side\u2014one that evaluates code contained in the JSON field autoEvalCodeOnHTML and another that evaluates the JSON field callback\u2014can be triggered by the data sent through these messages. An attacker can thus broadcast arbitrary JavaScript that is executed in the context of every user currently connected to the WebSocket server, including administrators. This enables universal account takeover, session hijacking, and execution of privileged actions. The vulnerability is effective even for unauthenticated users because tokens minted for anonymous visitors are not revalidated beyond decryption, allowing the attacker to deliver malicious payloads without first authenticating.", "risk_and_exploitability": "This weakness corresponds to CWE\u201194 code injection and carries a CVSS score of 10, indicating critical severity. The EPSS score is not available, but the lack of an EPSS rating does not diminish the inherent risk presented by the ability to inject and execute code on all connected clients. The vulnerability is not listed in the CISA KEV catalog, yet the attack requires only a WebSocket connection to the vulnerable plugin; an unauthenticated attacker can trigger the exploit without needing elevated privileges or prior knowledge of user credentials. The combination of a high severity rating, the lack of authentication checks, and the widespread use of WebSocket connections makes exploitation highly likely in exposed deployments."}}}}, "created": "2026-04-22T04:15:07.394042+00:00", "updated": "2026-04-22T05:30:09.555452+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}