AVideo CVE-2026-43876
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML - phishing links, tracking pixels, CSS/UI spoofing - to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication.
Details
File: objects/notifySubscribers.json.php
10: if (!User::canUpload()) {
11: forbiddenPage('You can not notify');
12: }
13: forbidIfIsUntrustedRequest('notifySubscribers');
14: $user_id = User::getId();
15: // if admin bring all subscribers
16: if (User::isAdmin()) {
17: $user_id = '';
18: }
19:
20: require_once 'subscribe.php';
21: setRowCount(10000);
...
23: $Subscribes = Subscribe::getAllSubscribes($user_id);
...
34: $subject = 'Message From Site ' . $config->getWebSiteTitle();
35: $message = $_POST['message'];
36:
37: $resp = sendSiteEmail($to, $subject, $message);Controls present at the entry point:
User::canUpload()- gates access to any account that can upload (a baseline authenticated uploader role; in typical AVideo configurations whereauthCanUploadVideosis enabled, this is any logged-in user with a verified email).forbidIfIsUntrustedRequest('notifySubscribers')- inobjects/functionsSecurity.php:138-165, this delegates toisUntrustedRequest()which only validates same-origin viarequestComesFromSameDomainAsMyAVideo()(objects/functionsAVideo.php:199-206), i.e. a Referer/Origin header check. It is not a CSRF token. An attacker acting on their own authenticated browser session trivially satisfies the Referer check.
There is no CAPTCHA, no rate limit, no per-recipient quota, and no unsubscribe link. setRowCount(10000) allows up to 10,000 subscriber rows to be pulled and mailed in a single request. For admin callers (User::isAdmin() → $user_id = ''), Subscribe::getAllSubscribes('') returns the entire subscriber set for the platform rather than the caller's channel.
File: objects/functionsMail.php
59: function sendSiteEmail($to, $subject, $message, $fromEmail = '', $fromName = '')
60: {
...
78: $subject = UTF8encode($subject);
79: $message = UTF8encode($message); // UTF-8 normalization, no HTML handling
80: $message = createEmailMessageFromTemplate($message);
...
119: $mail = new \PHPMailer\PHPMailer\PHPMailer();
120: setSiteSendMessage($mail);
...
125: $systemEmail = $config->getContactEmail();
126: $systemName = $config->getWebSiteTitle();
...
136: $mail->setFrom($systemEmail, !empty($fromName) ? $fromName : $systemName);
...
143: $mail->msgHTML($message); // renders as HTML
...
162: $resp = $mail->send();266: function createEmailMessageFromTemplate($message)
267: {
268: if (preg_match("/html>/i", $message)) {
269: return $message; // attacker-supplied full-HTML is returned verbatim
270: }
...
274: $text = file_get_contents("{$global['systemRootPath']}view/include/emailTemplate.html");
...
279: $words = [$logo, $message, $siteTitle];
280: $replace = ['{logo}', '{message}', '{siteTitle}'];
281:
282: return str_replace($replace, $words, $text); // raw substitution into HTML template
283: }Execution flow from attacker input to sink:
$_POST['message']→objects/notifySubscribers.json.php:35(raw, no validation).- →
sendSiteEmail($to, $subject, $message)atobjects/notifySubscribers.json.php:37. - →
UTF8encode($message)atobjects/functionsMail.php:79(encoding only; does not strip or escape HTML). - →
createEmailMessageFromTemplate($message)atobjects/functionsMail.php:80→str_replace('{message}', $message, $text)atobjects/functionsMail.php:282, substituting attacker HTML directly into the{message}placeholder inview/include/emailTemplate.html. - →
$mail->msgHTML($message)atobjects/functionsMail.php:143. PHPMailer renders the combined template (containing the attacker's unsanitized HTML) as an HTML email. - The
From:header is$config->getContactEmail()/$config->getWebSiteTitle()(objects/functionsMail.php:125-136). The template contains the platform's logo viagetURL($config->getLogo()). The result is an attacker-controlled HTML body delivered from the platform's trusted sender address, officially branded.
Note that the preg_match("/html>/i", $message) at line 268 actively *helps* the attacker: any payload containing <html> short-circuits template substitution and is sent as-is, allowing the attacker to control the full email body including DOCTYPE, head, and body.
PoC
- Obtain an account with upload permission (on AVideo installations where
authCanUploadVideosis enabled, any registered and email-verified user qualifies). An admin account broadens the recipient set to the entire platform rather than just the attacker's own subscribers. - Ensure the attacker's channel has at least one subscriber (via
Subscribe::getAllSubscribes($user_id)), or use an admin account to target all platform subscribers. - Submit the request. The
Refererheader must match the platform origin to passforbidIfIsUntrustedRequest(trivial when running from the attacker's own authenticated browser):
curl -b 'PHPSESSID=<uploader_session>' -X POST \
-H 'Referer: https://target.example/' \
'https://target.example/objects/notifySubscribers.json.php' \
--data-urlencode 'message=<h1 style="color:#c00">Action Required: Verify Your Account</h1>
<p>Dear Subscriber,</p>
<p>We detected unusual activity on your account. Please
<a href="https://attacker.example/phish">click here to verify your identity within 24 hours</a>
or your account will be suspended.</p>
<p>Thank you,<br>The Support Team</p>
<img src="https://attacker.example/track.png" width="1" height="1">'- Expected response:
{"error": false, "msg": ""}- Every subscriber in the target set receives an HTML email:
From:<contact@target.example>(the platform's configured contact email - not the attacker's address).Subject:Message From Site <SiteTitle> - <SiteTitle>(built atobjects/notifySubscribers.json.php:34+objects/functionsMail.php:138-141).- Body: the
view/include/emailTemplate.htmltemplate with the platform's real logo substituted at{logo}and the attacker's unsanitized HTML substituted at{message}, including the phishing anchor and tracking pixel.
- Delivery is batched via
partition($to, $size)atobjects/functionsMail.php:114-118over up to 10,000 subscribers in a single request. There is no rate limit, CAPTCHA, confirmation step, or unsubscribe header.
Impact
- Any authenticated uploader can weaponize the platform's own email infrastructure and brand (contact email, logo, site title) to deliver phishing content to their channel subscribers.
- Because the
From:address is the platform's canonical contact email and the template wraps the attacker content in the official logo and site title, recipients have no visible indication that the content originated from an uploader rather than the operator. Recipients who have previously received legitimate notifications from the same address are especially likely to trust the email. - Phishing payloads can include credential-stealing links mimicking password reset / account verification flows, tracking pixels that enumerate subscriber IPs and mail-client metadata, and CSS-based UI spoofing over the template.
- An admin account (
User::isAdmin()→$user_id = '') expands the blast radius to every subscriber record on the platform, not just the attacker's own subscribers. - Up to 10,000 recipients per request with no rate limiting, CAPTCHA, or unsubscribe link, so a compromised or malicious uploader can sustain large phishing campaigns at minimal cost, while the sending IP reputation is borne by the platform operator.
- A stolen uploader session (e.g., via an unrelated XSS or token leak) is sufficient to mount the attack; no additional credentials or admin access are required.
Recommended Fix
Sanitize or encode $_POST['message'] before it reaches PHPMailer::msgHTML(). Options, in order of preference:
- Reject HTML outright and force plain text. In
objects/notifySubscribers.json.php:
$message = $_POST['message'] ?? '';
// Strip all HTML; allow only newlines / plain text.
$message = strip_tags($message);
$message = nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8'));- Or allow a very restricted subset using a proven HTML sanitizer (e.g.
HTMLPurifierwith a minimal whitelist:p, br, strong, em, a[href|title], ul, ol, li), and forbid<script>,<style>, inline event handlers,<img>,<iframe>,data:/javascript:URIs, and framework-style template tokens. - Additionally remove the
preg_match("/html>/i", $message)short-circuit atobjects/functionsMail.php:268-270, which lets a caller replace the entire email body by including a<html>tag. The template should always be applied. - Defense in depth:
- Require a real anti-CSRF token on this endpoint (e.g.
validateCSRF()with a per-session token in a header or POST field), and drop the Referer-onlyforbidIfIsUntrustedRequestas the sole protection. - Require
User::isAdmin()to notify subscribers from accounts not scoped to a channel; for non-admin uploaders, make theFromdisplay name clearly attribute the message to the uploader ("{uploaderName} via {siteTitle} <contact@site>"already works for non-system senders inobjects/functionsMail.php:130-134- apply the same attribution to subscriber notifications). - Enforce per-account and per-IP rate limits on
notifySubscribers.json.php(e.g. one broadcast per account per N hours, max M recipients per day). - Include a List-Unsubscribe header and a per-recipient unsubscribe link.
- Add a preview + confirmation step before dispatch.
AnalysisAI
Stored HTML injection in AVideo's notifySubscribers endpoint allows any authenticated uploader to broadcast platform-branded phishing emails to up to 10,000 channel subscribers without sanitization, escaping, or rate limits. The attacker-supplied HTML is injected directly into the email template via str_replace and rendered by PHPMailer, arriving with the platform's official contact email address, logo, and site title, enabling credential theft and reconnaissance at scale with no visible indication that content originated from an uploader rather than the platform operator.
Technical ContextAI
The vulnerability exists in objects/notifySubscribers.json.php, which accepts raw POST message data and passes it to sendSiteEmail() in objects/functionsMail.php. The message parameter undergoes only UTF-8 encoding via UTF8encode() (no HTML stripping), then is substituted via str_replace() into the {message} placeholder in view/include/emailTemplate.html. The combined template is passed directly to PHPMailer::msgHTML(), which parses and renders it as HTML. The preg_match('/html>/i', $message) check at line 268 of functionsMail.php actively bypasses the template system if the payload contains '<html>', allowing an attacker to provide a full email body including DOCTYPE and head elements. The authentication gate (User::canUpload()) permits any uploader role, and the CSRF protection is limited to a Referer header check (forbidIfIsUntrustedRequest), not a cryptographic token. The application uses setRowCount(10000) to batch up to 10,000 subscribers per request with no rate limiting, CAPTCHA, or unsubscribe mechanism. For admin accounts, $user_id is set to empty string, causing Subscribe::getAllSubscribes('') to return the entire platform subscriber set rather than just the caller's channel.
RemediationAI
Apply the vendor patch from GitHub commit 078c4342eb9969a70425a9cdca3eefa7f8a86d53, which removes the raw $_POST['message'] assignment and replaces it with $message = nl2br(xss_esc($message)), converting the message to plaintext with newline-to-break-tag conversion and XSS-safe escaping. This enforces plaintext-only notifications, preventing arbitrary HTML injection. If a patched release is not yet available, the immediate workaround is to replace the vulnerable lines in objects/notifySubscribers.json.php with strip_tags($message) followed by nl2br(htmlspecialchars($message, ENT_QUOTES | ENT_HTML5, 'UTF-8')) to strip all HTML and escape special characters before passing to sendSiteEmail(). Additionally, remove or disable the preg_match('/html>/i', $message) short-circuit at objects/functionsMail.php line 268-270 to ensure the email template is always applied (not bypassed by attacker-supplied <html> tags). Implement a real anti-CSRF token (not just Referer header validation) on the notifySubscribers endpoint. For defense in depth: add per-account and per-IP rate limiting to the endpoint (e.g., one broadcast per account per 24 hours, max 50,000 recipients per day), require explicit admin review for broadcasts to more than 1,000 subscribers, change the From display name for non-admin uploads to clearly attribute the message to the uploader rather than the platform (e.g., 'UploadName via SiteTitle'), and include List-Unsubscribe headers and per-recipient unsubscribe links in the email. Monitor for abuse patterns: high-volume notifySubscribers requests, messages containing URL patterns or phishing keywords, and subscriber unsubscribe surges following notifications.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-g9cm-rxp7-6gv5