CVE-2026-40911 — AI Deep Analysis Summary

🚨 **Essence**: A Code Injection flaw in WWBN AVideo. 🛑 **Consequences**: Attackers can broadcast arbitrary JavaScript via WebSocket, leading to account takeover, session theft, and privilege escalation.…

🔍 **Root Cause**: CWE-94 (Code Injection). 🐛 **Flaw**: The YPTSocket plugin's WebSocket server forwards uncleaned `msg` or `callback` fields.…

📦 **Product**: WWBN AVideo. 📅 **Affected Versions**: 29.0 and earlier. 🏢 **Vendor**: WWBN. ⚠️ **Component**: Specifically the YPTSocket plugin and WebSocket server logic.

🕵️ **Actions**: Execute arbitrary JavaScript code. 🔓 **Privileges**: Bypass authentication (Unauthenticated). 💾 **Data**: Steal user sessions, hijack accounts, and perform privileged operations.…

📉 **Threshold**: LOW. 🚫 **Auth**: No authentication required (PR:N). 🖱️ **UI**: No user interaction needed (UI:N). 🌍 **Network**: Remote (AV:N). 🎯 **Complexity**: Low (AC:L). Easy to exploit!

📂 **Public Exp**: No specific PoC code provided in the data. 🔗 **References**: GitHub Advisory (GHSA-gph2-j4c9-vhhr) and Commit fix are available.…

🔎 **Check**: Scan for WWBN AVideo instances. 🧪 **Test**: Look for YPTSocket WebSocket endpoints. 📝 **Indicator**: Check if `script.js` contains vulnerable `eval()` calls handling WebSocket messages.…

✅ **Fixed**: Yes. 📅 **Date**: Published 2026-04-21. 🔗 **Patch**: See GitHub commit `c08694bf6264eb4decceb78c711baee2609b4efd`. 🔄 **Action**: Update to the patched version immediately.

🚧 **Workaround**: Disable the YPTSocket plugin if not needed. 🛑 **Mitigation**: Block WebSocket connections from untrusted sources. 🧹 **Code**: Sanitize `msg` and `callback` fields before forwarding.…

🔥 **Urgency**: CRITICAL. 📈 **CVSS**: 9.8 (High). 🚨 **Priority**: Patch immediately. ⚡ **Reason**: Unauthenticated, remote code execution with severe impact (Account Takeover). Do not delay!