{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40911/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":10,"id":"CVE-2026-40911"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["critical"],"_cs_tags":["avideo","rce","websocket","cve-2026-40911"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a critical vulnerability (CVE-2026-40911) affecting versions 29.0 and prior. The flaw resides in the YPTSocket plugin's WebSocket server, which unsafely relays attacker-supplied JSON messages to all connected clients without proper sanitization of the \u003ccode\u003emsg\u003c/code\u003e and \u003ccode\u003ecallback\u003c/code\u003e fields. This lack of input validation allows an unauthenticated attacker to inject arbitrary JavaScript code that executes within the context of any connected user's browser session. Since tokens are minted for anonymous users and are not revalidated, this vulnerability can be exploited to achieve universal account takeover, session theft, and execution of privileged actions within the AVideo platform. The vulnerability is addressed in commit c08694bf6264eb4decceb78c711baee2609b4efd. Successful exploitation allows attackers to compromise all active user sessions, including those of administrators.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker connects to the AVideo platform's WebSocket server via the YPTSocket plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JSON message containing JavaScript code within the \u003ccode\u003emsg\u003c/code\u003e and/or \u003ccode\u003ecallback\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted JSON message to the WebSocket server.\u003c/li\u003e\n\u003cli\u003eThe YPTSocket plugin's server relays the attacker-supplied JSON message to all connected clients without sanitization.\u003c/li\u003e\n\u003cli\u003eOn the client side, the \u003ccode\u003eplugin/YPTSocket/script.js\u003c/code\u003e file receives the JSON message.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function at line 568 (\u003ccode\u003ejson.msg.autoEvalCodeOnHTML\u003c/code\u003e) and/or line 95 (\u003ccode\u003ejson.callback\u003c/code\u003e) in \u003ccode\u003eplugin/YPTSocket/script.js\u003c/code\u003e executes the attacker-injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code can perform actions such as stealing session cookies, creating new administrative accounts, or modifying data within the AVideo platform.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of user accounts and performs privileged actions on the compromised AVideo platform.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40911 allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of any connected user's session on a vulnerable AVideo platform. This can lead to complete account takeover, including administrator accounts, resulting in unauthorized access to sensitive data, modification of system settings, and potential data breaches. The vulnerability has a CVSS v3.1 base score of 10.0, indicating its critical severity. The number of victims and specific sectors targeted are unknown but could potentially affect any organization using a vulnerable version of AVideo.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WWBN AVideo to a version containing the fix from commit c08694bf6264eb4decceb78c711baee2609b4efd to remediate CVE-2026-40911.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the YPTSocket plugin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to WebSocket endpoints associated with the YPTSocket plugin, as these could indicate exploitation attempts (see example rule referencing category \u0026quot;webserver\u0026quot;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-rce/","summary":"WWBN AVideo version 29.0 and prior is vulnerable to unauthenticated arbitrary Javascript execution via the YPTSocket plugin, allowing an attacker to execute arbitrary code in the context of connected users, leading to account takeover and data theft.","title":"WWBN AVideo Unauthenticated Remote Code Execution via YPTSocket Plugin (CVE-2026-40911)","url":"https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-40911","version":"https://jsonfeed.org/version/1.1"}