Skip to main content

AVideo CVE-2026-43876

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-05 https://github.com/WWBN/AVideo GHSA-g9cm-rxp7-6gv5
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 20:01 vuln.today
Analysis Generated
May 05, 2026 - 20:01 vuln.today

DescriptionGitHub Advisory

Summary

objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML - phishing links, tracking pixels, CSS/UI spoofing - to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication.

Details

File: objects/notifySubscribers.json.php

php
10: if (!User::canUpload()) {
11:     forbiddenPage('You can not notify');
12: }
13: forbidIfIsUntrustedRequest('notifySubscribers');
14: $user_id = User::getId();
15: // if admin bring all subscribers
16: if (User::isAdmin()) {
17:     $user_id = '';
18: }
19:
20: require_once 'subscribe.php';
21: setRowCount(10000);
...
23: $Subscribes = Subscribe::getAllSubscribes($user_id);
...
34: $subject = 'Message From Site ' . $config->getWebSiteTitle();
35: $message = $_POST['message'];
36:
37: $resp = sendSiteEmail($to, $subject, $message);

Controls present at the entry point:

  • User::canUpload() - gates access to any account that can upload (a baseline authenticated uploader role; in typical AVideo configurations where authCanUploadVideos is enabled, this is any logged-in user with a verified email).
  • forbidIfIsUntrustedRequest('notifySubscribers') - in objects/functionsSecurity.php:138-165, this delegates to isUntrustedRequest() which only validates same-origin via requestComesFromSameDomainAsMyAVideo() (objects/functionsAVideo.php:199-206), i.e. a Referer/Origin header check. It is not a CSRF token. An attacker acting on their own authenticated browser session trivially satisfies the Referer check.

There is no CAPTCHA, no rate limit, no per-recipient quota, and no unsubscribe link. setRowCount(10000) allows up to 10,000 subscriber rows to be pulled and mailed in a single request. For admin callers (User::isAdmin()$user_id = ''), Subscribe::getAllSubscribes('') returns the entire subscriber set for the platform rather than the caller's channel.

File: objects/functionsMail.php

php
 59: function sendSiteEmail($to, $subject, $message, $fromEmail = '', $fromName = '')
 60: {
 ...
 78:     $subject = UTF8encode($subject);
 79:     $message = UTF8encode($message);            // UTF-8 normalization, no HTML handling
 80:     $message = createEmailMessageFromTemplate($message);
 ...
119:             $mail = new \PHPMailer\PHPMailer\PHPMailer();
120:             setSiteSendMessage($mail);
...
125:             $systemEmail = $config->getContactEmail();
126:             $systemName  = $config->getWebSiteTitle();
...
136:             $mail->setFrom($systemEmail, !empty($fromName) ? $fromName : $systemName);
...
143:             $mail->msgHTML($message);           // renders as HTML
...
162:             $resp = $mail->send();
php
266: function createEmailMessageFromTemplate($message)
267: {
268:     if (preg_match("/html>/i", $message)) {
269:         return $message;                       // attacker-supplied full-HTML is returned verbatim
270:     }
...
274:     $text = file_get_contents("{$global['systemRootPath']}view/include/emailTemplate.html");
...
279:     $words   = [$logo, $message, $siteTitle];
280:     $replace = ['{logo}', '{message}', '{siteTitle}'];
281:
282:     return str_replace($replace, $words, $text);   // raw substitution into HTML template
283: }

Execution flow from attacker input to sink:

  1. $_POST['message']objects/notifySubscribers.json.php:35 (raw, no validation).
  2. sendSiteEmail($to, $subject, $message) at objects/notifySubscribers.json.php:37.
  3. UTF8encode($message) at objects/functionsMail.php:79 (encoding only; does not strip or escape HTML).
  4. createEmailMessageFromTemplate($message) at objects/functionsMail.php:80str_replace('{message}', $message, $text) at objects/functionsMail.php:282, substituting attacker HTML directly into the {message} placeholder in view/include/emailTemplate.html.
  5. $mail->msgHTML($message) at objects/functionsMail.php:143. PHPMailer renders the combined template (containing the attacker's unsanitized HTML) as an HTML email.
  6. The From: header is $config->getContactEmail() / $config->getWebSiteTitle() (objects/functionsMail.php:125-136). The template contains the platform's logo via getURL($config->getLogo()). The result is an attacker-controlled HTML body delivered from the platform's trusted sender address, officially branded.

Note that the preg_match("/html>/i", $message) at line 268 actively *helps* the attacker: any payload containing <html> short-circuits template substitution and is sent as-is, allowing the attacker to control the full email body including DOCTYPE, head, and body.

PoC

  1. Obtain an account with upload permission (on AVideo installations where authCanUploadVideos is enabled, any registered and email-verified user qualifies). An admin account broadens the recipient set to the entire platform rather than just the attacker's own subscribers.
  2. Ensure the attacker's channel has at least one subscriber (via Subscribe::getAllSubscribes($user_id)), or use an admin account to target all platform subscribers.
  3. Submit the request. The Referer header must match the platform origin to pass forbidIfIsUntrustedRequest (trivial when running from the attacker's own authenticated browser):
bash
curl -b 'PHPSESSID=<uploader_session>' -X POST \
  -H 'Referer: https://target.example/' \
  'https://target.example/objects/notifySubscribers.json.php' \
  --data-urlencode 'message=<h1 style="color:#c00">Action Required: Verify Your Account</h1>
<p>Dear Subscriber,</p>
<p>We detected unusual activity on your account. Please
<a href="https://attacker.example/phish">click here to verify your identity within 24 hours</a>
or your account will be suspended.</p>
<p>Thank you,<br>The Support Team</p>
<img src="https://attacker.example/track.png" width="1" height="1">'
  1. Expected response:
json
{"error": false, "msg": ""}
  1. Every subscriber in the target set receives an HTML email:
  • From: <contact@target.example> (the platform's configured contact email - not the attacker's address).
  • Subject: Message From Site <SiteTitle> - <SiteTitle> (built at objects/notifySubscribers.json.php:34 + objects/functionsMail.php:138-141).
  • Body: the view/include/emailTemplate.html template with the platform's real logo substituted at {logo} and the attacker's unsanitized HTML substituted at {message}, including the phishing anchor and tracking pixel.
  1. Delivery is batched via partition($to, $size) at objects/functionsMail.php:114-118 over up to 10,000 subscribers in a single request. There is no rate limit, CAPTCHA, confirmation step, or unsubscribe header.

Impact

  • Any authenticated uploader can weaponize the platform's own email infrastructure and brand (contact email, logo, site title) to deliver phishing content to their channel subscribers.
  • Because the From: address is the platform's canonical contact email and the template wraps the attacker content in the official logo and site title, recipients have no visible indication that the content originated from an uploader rather than the operator. Recipients who have previously received legitimate notifications from the same address are especially likely to trust the email.
  • Phishing payloads can include credential-stealing links mimicking password reset / account verification flows, tracking pixels that enumerate subscriber IPs and mail-client metadata, and CSS-based UI spoofing over the template.
  • An admin account (User::isAdmin()$user_id = '') expands the blast radius to every subscriber record on the platform, not just the attacker's own subscribers.
  • Up to 10,000 recipients per request with no rate limiting, CAPTCHA, or unsubscribe link, so a compromised or malicious uploader can sustain large phishing campaigns at minimal cost, while the sending IP reputation is borne by the platform operator.
  • A stolen uploader session (e.g., via an unrelated XSS or token leak) is sufficient to mount the attack; no additional credentials or admin access are required.

Recommended Fix

Sanitize or encode $_POST['message'] before it reaches PHPMailer::msgHTML(). Options, in order of preference:

  1. Reject HTML outright and force plain text. In objects/notifySubscribers.json.php:
php
   $message = $_POST['message'] ?? '';
   // Strip all HTML; allow only newlines / plain text.
   $message = strip_tags($message);
   $message = nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8'));
  1. Or allow a very restricted subset using a proven HTML sanitizer (e.g. HTMLPurifier with a minimal whitelist: p, br, strong, em, a[href|title], ul, ol, li), and forbid <script>, <style>, inline event handlers, <img>, <iframe>, data:/javascript: URIs, and framework-style template tokens.
  2. Additionally remove the preg_match("/html>/i", $message) short-circuit at objects/functionsMail.php:268-270, which lets a caller replace the entire email body by including a <html> tag. The template should always be applied.
  3. Defense in depth:
  • Require a real anti-CSRF token on this endpoint (e.g. validateCSRF() with a per-session token in a header or POST field), and drop the Referer-only forbidIfIsUntrustedRequest as the sole protection.
  • Require User::isAdmin() to notify subscribers from accounts not scoped to a channel; for non-admin uploaders, make the From display name clearly attribute the message to the uploader ("{uploaderName} via {siteTitle} <contact@site>" already works for non-system senders in objects/functionsMail.php:130-134 - apply the same attribution to subscriber notifications).
  • Enforce per-account and per-IP rate limits on notifySubscribers.json.php (e.g. one broadcast per account per N hours, max M recipients per day).
  • Include a List-Unsubscribe header and a per-recipient unsubscribe link.
  • Add a preview + confirmation step before dispatch.

AnalysisAI

Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.

Technical ContextAI

The vulnerability exists in objects/notifySubscribers.json.php, which accepts raw POST message data and passes it to sendSiteEmail() in objects/functionsMail.php. The message parameter undergoes only UTF-8 encoding via UTF8encode() (no HTML stripping), then is substituted via str_replace() into the {message} placeholder in view/include/emailTemplate.html. The combined template is passed directly to PHPMailer::msgHTML(), which parses and renders it as HTML. The preg_match('/html>/i', $message) check at line 268 of functionsMail.php actively bypasses the template system if the payload contains '<html>', allowing an attacker to provide a full email body including DOCTYPE and head elements. The authentication gate (User::canUpload()) permits any uploader role, and the CSRF protection is limited to a Referer header check (forbidIfIsUntrustedRequest), not a cryptographic token. The application uses setRowCount(10000) to batch up to 10,000 subscribers per request with no rate limiting, CAPTCHA, or unsubscribe mechanism. For admin accounts, $user_id is set to empty string, causing Subscribe::getAllSubscribes('') to return the entire platform subscriber set rather than just the caller's channel.

RemediationAI

Apply the vendor patch from GitHub commit 078c4342eb9969a70425a9cdca3eefa7f8a86d53, which removes the raw $_POST['message'] assignment and replaces it with $message = nl2br(xss_esc($message)), converting the message to plaintext with newline-to-break-tag conversion and XSS-safe escaping. This enforces plaintext-only notifications, preventing arbitrary HTML injection. If a patched release is not yet available, the immediate workaround is to replace the vulnerable lines in objects/notifySubscribers.json.php with strip_tags($message) followed by nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8')) to strip all HTML and escape special characters before passing to sendSiteEmail(). Additionally, remove or disable the preg_match('/html>/i', $message) short-circuit at objects/functionsMail.php line 268-270 to ensure the email template is always applied (not bypassed by attacker-supplied <html> tags). Implement a real anti-CSRF token (not just Referer header validation) on the notifySubscribers endpoint. For defense in depth: add per-account and per-IP rate limiting to the endpoint (e.g., one broadcast per account per 24 hours, max 50,000 recipients per day), require explicit admin review for broadcasts to more than 1,000 subscribers, change the From display name for non-admin uploads to clearly attribute the message to the uploader rather than the platform (e.g., 'UploadName via SiteTitle'), and include List-Unsubscribe headers and per-recipient unsubscribe links in the email. Monitor for abuse patterns: high-volume notifySubscribers requests, messages containing URL patterns or phishing keywords, and subscriber unsubscribe surges following notifications.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-43876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy