CVE-2026-40911— WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

CVSS 10.0 · Critical EPSS 0.29% · P52 Updated Apr 22, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40911

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

Source: NVD (National Vulnerability Database)

Vulnerability Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

对生成代码的控制不恰当(代码注入)

Source: NVD (National Vulnerability Database)

Vulnerability Title

WWBN AVideo 代码注入漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在代码注入漏洞，该漏洞源于YPTSocket插件的WebSocket服务器未清理msg或callback字段即转发攻击者提供的JSON消息体，且客户端script.js中存在eval接收这些字段，可能导致未经身份验证的攻击者广播任意JavaScript代码，造成账户接管、会话窃取和执行特权操作。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
WWBN	AVideo	<= 29.0	-

II. Public POCs for CVE-2026-40911

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-40911

请登录查看更多情报信息。

Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total

CVE-2026-41064	9.3 CRITICAL	AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)
CVE-2026-40909	8.7 HIGH	WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W
CVE-2026-41055	8.6 HIGH	AVideo has an incomplete fix for CVE-2026-33039 (SSRF)
CVE-2026-40925	8.3 HIGH	WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo
CVE-2026-41056	8.1 HIGH	AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable
CVE-2026-41058	8.1 HIGH	AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo
CVE-2026-41060	7.7 HIGH	AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL
CVE-2026-40926	7.1 HIGH	WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip
CVE-2026-41057	7.1 HIGH	AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) t
CVE-2026-40907	6.5 MEDIUM	WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys
CVE-2026-41062	6.5 MEDIUM	WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec
CVE-2026-40928	5.4 MEDIUM	AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr
CVE-2026-40929	5.4 MEDIUM	WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme
CVE-2026-41063	5.4 MEDIUM	WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS)
CVE-2026-41061	5.4 MEDIUM	WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv
CVE-2026-40908	5.3 MEDIUM	WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes De
CVE-2026-40935	5.3 MEDIUM	WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token
CVE-2026-41304		WWBN AVideo vulnerable to RCE caused by clonesite plugin

IV. Related Vulnerabilities

Same product: AVideo

Same vendor: WWBN

Same weakness: CWE-94

V. Comments for CVE-2026-40911

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-40911— WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks

I. Basic Information for CVE-2026-40911

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2026-40911

III. Intelligence Information for CVE-2026-40911

Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-40911

Leave a comment