AVideo CVE-2026-49279
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but needs a low-privilege account (PR:L) and a connected victim who receives the payload (UI:R); stored XSS crosses into the browser security authority (S:C) with cookie theft (C:H), limited integrity via action forgery (I:L), and no availability impact (A:N).
Primary rating from Vendor (https://github.com/WWBN/AVideo).
CVSS VectorVendor: https://github.com/WWBN/AVideo
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler
Summary
AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely.
Affected Versions
AVideo <= latest
Vulnerability Details
Root Cause: Shallow sanitization only covers $json['msg']
plugin/YPTSocket/MessageSQLite.php lines 268-271 - the incomplete fix:
if (empty($msgObj->isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') {
if (is_array($json['msg'] ?? null)) {
unset($json['msg']['autoEvalCodeOnHTML']); // Only strips from $json['msg']
}
}plugin/YPTSocket/MessageSQLite.php lines 361-367 - the bypass via msgToResourceId():
if (!empty($msg['json'])) {
$obj['msg'] = $msg['json']; // $msg['json']['autoEvalCodeOnHTML'] is NEVER stripped
} else if (!empty($msg['msg'])) {
$obj['msg'] = $msg['msg']; // Only this path was sanitized
} else {
$obj['msg'] = $msg;
}Compare with the correctly patched Message.php (lines 254-256):
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Strips from ALL nested pathsAnd MessageSQLiteV2.php (lines 302-303):
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Same recursive fixMessageSQLite.php does not call removeAutoEvalCodeOnHTMLRecursive() at all.
Attack Chain
- Attacker sends a WebSocket message with
autoEvalCodeOnHTMLin thejsonkey instead ofmsg - The fix at line 268-271 only checks
$json['msg']- thejsonkey is untouched msgToResourceId()reads$msg['json']first (line 361) because!empty($msg['json'])is true- The payload is delivered to the victim's WebSocket client and evaluated via
autoEvalCodeOnHTML
Proof of Concept
// Connect to AVideo WebSocket as authenticated user
const ws = new WebSocket('wss://TARGET/plugin/YPTSocket/server.php?token=USER_TOKEN');
ws.onopen = () => {
ws.send(JSON.stringify({
msg: "Hello", // sanitized path - decoy
json: {autoEvalCodeOnHTML: "alert('XSS')"}, // unsanitized path - payload
to_users_id: VICTIM_USER_ID,
resourceId: RESOURCE_ID
}));
};
// Victim's client evaluates alert('XSS') via autoEvalCodeOnHTML mechanismImpact
An authenticated attacker can:
- Execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system
- Steal session cookies and authentication tokens
- Perform account takeover via session hijacking
- Chain with CSRF to execute admin actions on behalf of the victim
The vulnerability affects the default SQLite WebSocket backend configuration.
Suggested Remediation
Apply removeAutoEvalCodeOnHTMLRecursive() in MessageSQLite.php, consistent with Message.php and MessageSQLiteV2.php:
// Before (vulnerable - shallow strip):
if (is_array($json['msg'] ?? null)) {
unset($json['msg']['autoEvalCodeOnHTML']);
}
// After (fixed - recursive strip):
$json = removeAutoEvalCodeOnHTMLRecursive($json);AnalysisAI
Stored cross-site scripting in WWBN AVideo (all versions through 29.0) lets an authenticated user execute arbitrary JavaScript in other connected users' browsers via the SQLite-backed YPTSocket WebSocket messaging system. The flaw is an incomplete-fix bypass of CVE-2026-43874: the prior patch only stripped the autoEvalCodeOnHTML key from $json['msg'], but msgToResourceId() prioritizes the sibling json key, so a payload placed there reaches the victim unsanitized. Publicly available exploit code exists in the GitHub advisory PoC; EPSS is low (0.13%) and it is not on CISA KEV, so no active exploitation is indicated.
Technical ContextAI
AVideo is an open-source PHP video-sharing/streaming platform (Composer package wwbn/avideo). The affected component is the YPTSocket real-time messaging plugin's SQLite backend, plugin/YPTSocket/MessageSQLite.php. AVideo supports an autoEvalCodeOnHTML message field that causes the receiving WebSocket client to evaluate attacker-supplied markup/JavaScript - effectively a designed code-injection sink that must be stripped from untrusted, non-PHP-originated messages. The root cause is CWE-79 (improper neutralization of input during web page generation) compounded by incomplete input sanitization: the handler unsets autoEvalCodeOnHTML only from the msg sub-array, while the relay function msgToResourceId() reads $msg['json'] with higher priority than $msg['msg'], leaving the json path unfiltered. The correctly patched sibling handlers Message.php and MessageSQLiteV2.php already call removeAutoEvalCodeOnHTMLRecursive() to strip the key from all nested paths; MessageSQLite.php, the default SQLite backend, did not.
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - the Composer advisory lists 'fixed in: None' and the fix is delivered as commit 3e0b3ce2bfa766183ff0ae227439394db57b1a23 (https://github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23) rather than a tagged release. Apply that commit, which replaces the shallow unset($json['msg']['autoEvalCodeOnHTML']) with a call to a new recursive helper removeAutoEvalCodeOnHTMLRecursive($json) that strips the key from every nested path in MessageSQLite.php, matching the already-fixed Message.php and MessageSQLiteV2.php. If you cannot immediately deploy the commit, a compensating control is to switch the YPTSocket backend from the default SQLite handler to MessageSQLiteV2.php, which already contains the recursive sanitization - with the trade-off of validating that the V2 backend is compatible with your deployment. As a further interim measure, restrict or disable the YPTSocket WebSocket messaging feature to trusted users, accepting the loss of real-time chat/notification functionality. Track the vendor advisory GHSA-2fhx-q92v-5fhv for a formally tagged patched release.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2fhx-q92v-5fhv