CVE-2026-43874— WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-43874
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在代码注入漏洞,该漏洞源于YPTSocket的autoEvalCodeOnHTML评估漏洞缓解措施不完整,可能导致未经验证的攻击者通过WebSocket发送恶意负载,使登录用户执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-43874
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-43874
请登录查看更多情报信息。
- https://github.com/WWBN/AVideo/security/advisories/GHSA-ghcv-22jf-vfxmx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-43874
Same Patch Batch · WWBN · 2026-05-11 · 13 CVEs total
| CVE-2026-43884 | 7.7 HIGH | WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL() |
| CVE-2026-43873 | 7.5 HIGH | WWBN AVideo: Unauthenticated Disclosure of CloneSite `myKey` via Error Echo in `cloneClien |
| CVE-2026-43875 | 6.8 MEDIUM | WWBN AVideo: Password Hash Leaked in MobileManager OAuth Redirect URL Enables Account Take |
| CVE-2026-43876 | 6.4 MEDIUM | WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishin |
| CVE-2026-43878 | 6.1 MEDIUM | WWBN AVideo: Reflected XSS in plugin/Meet/iframe.php via Unescaped `user`/`pass` Parameter |
| CVE-2026-43879 | 5.4 MEDIUM | WWBN AVideo: Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check an |
| CVE-2026-43877 | 5.4 MEDIUM | WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User |
| CVE-2026-43881 | 5.3 MEDIUM | WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` |
| CVE-2026-43880 | 5.3 MEDIUM | WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishin |
| CVE-2026-43882 | 4.3 MEDIUM | WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calend |
| CVE-2026-43883 | 4.2 MEDIUM | WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allows Any Authenticated User to C |
| CVE-2026-43885 | WWBN AVideo: Exposure of Sensitive Information to an Unauthorized Actor and Missing Author |
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-43885
WWBN AVideo: Exposure of Sensitive Information to an Unautho - CVE-2026-43884
WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DN - CVE-2026-43883
WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allo - CVE-2026-43882
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler - CVE-2026-43881
WWBN AVideo: Unauthenticated User Enumeration in `objects/us
Same vendor: WWBN
- CVE-2026-43885
WWBN AVideo: Exposure of Sensitive Information to an Unautho - CVE-2026-43884
WWBN AVideo: SSRF Protection Bypass via HTTP Redirect and DN - CVE-2026-43883
WWBN AVideo: IDOR in PayPalYPT agreementCancel.json.php Allo - CVE-2026-43882
WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler - CVE-2026-43881
WWBN AVideo: Unauthenticated User Enumeration in `objects/us
Same weakness: CWE-94
- CVE-2021-47952
python jsonpickle 2.0.0 Remote Code Execution via py/repr - CVE-2021-47964
Schlix CMS 2.2.6-6 Remote Code Execution via core.blockmanag - CVE-2026-44717
MCP Calculate Server: Prompt Injection to RCE - CVE-2026-41258
OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRan - CVE-2026-35194
Apache Flink: Remote code execution via SQL injection in cod
V. Comments for CVE-2026-43874
No comments yet