Skip to main content

AVideo CVE-2026-49279

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-04 https://github.com/WWBN/AVideo GHSA-2fhx-q92v-5fhv
7.7
CVSS 4.0 · Vendor: https://github.com/WWBN/AVideo
Share

Severity by source

Vendor (https://github.com/WWBN/AVideo) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.6 HIGH

Network-reachable but needs a low-privilege account (PR:L) and a connected victim who receives the payload (UI:R); stored XSS crosses into the browser security authority (S:C) with cookie theft (C:H), limited integrity via action forgery (I:L), and no availability impact (A:N).

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/WWBN/AVideo).

CVSS VectorVendor: https://github.com/WWBN/AVideo

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 15, 2026 - 22:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 15, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jul 15, 2026 - 22:22 NVD
7.7 (HIGH)
Source Code Evidence Fetched
Jun 04, 2026 - 19:20 vuln.today
Analysis Generated
Jun 04, 2026 - 19:20 vuln.today

DescriptionCVE.org

AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler

Summary

AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely.

Affected Versions

AVideo <= latest

Vulnerability Details

Root Cause: Shallow sanitization only covers $json['msg']

plugin/YPTSocket/MessageSQLite.php lines 268-271 - the incomplete fix:

php
if (empty($msgObj->isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') {
    if (is_array($json['msg'] ?? null)) {
        unset($json['msg']['autoEvalCodeOnHTML']);  // Only strips from $json['msg']
    }
}

plugin/YPTSocket/MessageSQLite.php lines 361-367 - the bypass via msgToResourceId():

php
if (!empty($msg['json'])) {
    $obj['msg'] = $msg['json'];       // $msg['json']['autoEvalCodeOnHTML'] is NEVER stripped
} else if (!empty($msg['msg'])) {
    $obj['msg'] = $msg['msg'];        // Only this path was sanitized
} else {
    $obj['msg'] = $msg;
}

Compare with the correctly patched Message.php (lines 254-256):

php
$json = removeAutoEvalCodeOnHTMLRecursive($json);  // Strips from ALL nested paths

And MessageSQLiteV2.php (lines 302-303):

php
$json = removeAutoEvalCodeOnHTMLRecursive($json);  // Same recursive fix

MessageSQLite.php does not call removeAutoEvalCodeOnHTMLRecursive() at all.

Attack Chain

  • Attacker sends a WebSocket message with autoEvalCodeOnHTML in the json key instead of msg
  • The fix at line 268-271 only checks $json['msg'] - the json key is untouched
  • msgToResourceId() reads $msg['json'] first (line 361) because !empty($msg['json']) is true
  • The payload is delivered to the victim's WebSocket client and evaluated via autoEvalCodeOnHTML

Proof of Concept

javascript
// Connect to AVideo WebSocket as authenticated user
const ws = new WebSocket('wss://TARGET/plugin/YPTSocket/server.php?token=USER_TOKEN');

ws.onopen = () => {
  ws.send(JSON.stringify({
    msg: "Hello",                               // sanitized path - decoy
    json: {autoEvalCodeOnHTML: "alert('XSS')"},  // unsanitized path - payload
    to_users_id: VICTIM_USER_ID,
    resourceId: RESOURCE_ID
  }));
};
// Victim's client evaluates alert('XSS') via autoEvalCodeOnHTML mechanism

Impact

An authenticated attacker can:

  • Execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system
  • Steal session cookies and authentication tokens
  • Perform account takeover via session hijacking
  • Chain with CSRF to execute admin actions on behalf of the victim

The vulnerability affects the default SQLite WebSocket backend configuration.

Suggested Remediation

Apply removeAutoEvalCodeOnHTMLRecursive() in MessageSQLite.php, consistent with Message.php and MessageSQLiteV2.php:

php
// Before (vulnerable - shallow strip):
if (is_array($json['msg'] ?? null)) {
    unset($json['msg']['autoEvalCodeOnHTML']);
}

// After (fixed - recursive strip):
$json = removeAutoEvalCodeOnHTMLRecursive($json);

AnalysisAI

Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the autoEvalCodeOnHTML key from $json['msg'], but msgToResourceId() prioritizes the sibling json key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.

Technical ContextAI

AVideo is an open-source PHP video-sharing/streaming platform (Composer package wwbn/avideo). The affected component is the YPTSocket real-time messaging plugin's SQLite backend, plugin/YPTSocket/MessageSQLite.php. AVideo supports an autoEvalCodeOnHTML message field that causes the receiving WebSocket client to evaluate attacker-supplied markup/JavaScript - effectively a designed code-injection sink that must be stripped from untrusted, non-PHP-originated messages. The root cause is CWE-79 (improper neutralization of input during web page generation) compounded by incomplete input sanitization: the handler unsets autoEvalCodeOnHTML only from the msg sub-array, while the relay function msgToResourceId() reads $msg['json'] with higher priority than $msg['msg'], leaving the json path unfiltered. The correctly patched sibling handlers Message.php and MessageSQLiteV2.php already call removeAutoEvalCodeOnHTMLRecursive() to strip the key from all nested paths; MessageSQLite.php, the default SQLite backend, did not.

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed - the Composer advisory lists 'fixed in: None' and the fix is delivered as commit 3e0b3ce2bfa766183ff0ae227439394db57b1a23 (https://github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23) rather than a tagged release. Apply that commit, which replaces the shallow unset($json['msg']['autoEvalCodeOnHTML']) with a call to a new recursive helper removeAutoEvalCodeOnHTMLRecursive($json) that strips the key from every nested path in MessageSQLite.php, matching the already-fixed Message.php and MessageSQLiteV2.php. If you cannot immediately deploy the commit, a compensating control is to switch the YPTSocket backend from the default SQLite handler to MessageSQLiteV2.php, which already contains the recursive sanitization - with the trade-off of validating that the V2 backend is compatible with your deployment. As a further interim measure, restrict or disable the YPTSocket WebSocket messaging feature to trusted users, accepting the loss of real-time chat/notification functionality. Track the vendor advisory GHSA-2fhx-q92v-5fhv for a formally tagged patched release.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-49279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy