<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-40911 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-40911/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-40911/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo Unauthenticated Remote Code Execution via YPTSocket Plugin (CVE-2026-40911)</title><link>https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-rce/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-rce/</guid><description>WWBN AVideo version 29.0 and prior is vulnerable to unauthenticated arbitrary Javascript execution via the YPTSocket plugin, allowing an attacker to execute arbitrary code in the context of connected users, leading to account takeover and data theft.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to a critical vulnerability (CVE-2026-40911) affecting versions 29.0 and prior. The flaw resides in the YPTSocket plugin's WebSocket server, which unsafely relays attacker-supplied JSON messages to all connected clients without proper sanitization of the <code>msg</code> and <code>callback</code> fields. This lack of input validation allows an unauthenticated attacker to inject arbitrary JavaScript code that executes within the context of any connected user's browser session. Since tokens are minted for anonymous users and are not revalidated, this vulnerability can be exploited to achieve universal account takeover, session theft, and execution of privileged actions within the AVideo platform. The vulnerability is addressed in commit c08694bf6264eb4decceb78c711baee2609b4efd. Successful exploitation allows attackers to compromise all active user sessions, including those of administrators.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker connects to the AVideo platform's WebSocket server via the YPTSocket plugin.</li>
<li>The attacker crafts a malicious JSON message containing JavaScript code within the <code>msg</code> and/or <code>callback</code> fields.</li>
<li>The attacker sends the crafted JSON message to the WebSocket server.</li>
<li>The YPTSocket plugin's server relays the attacker-supplied JSON message to all connected clients without sanitization.</li>
<li>On the client side, the <code>plugin/YPTSocket/script.js</code> file receives the JSON message.</li>
<li>The <code>eval()</code> function at line 568 (<code>json.msg.autoEvalCodeOnHTML</code>) and/or line 95 (<code>json.callback</code>) in <code>plugin/YPTSocket/script.js</code> executes the attacker-injected JavaScript code.</li>
<li>The injected JavaScript code can perform actions such as stealing session cookies, creating new administrative accounts, or modifying data within the AVideo platform.</li>
<li>The attacker gains control of user accounts and performs privileged actions on the compromised AVideo platform.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-40911 allows an unauthenticated attacker to execute arbitrary JavaScript code within the context of any connected user's session on a vulnerable AVideo platform. This can lead to complete account takeover, including administrator accounts, resulting in unauthorized access to sensitive data, modification of system settings, and potential data breaches. The vulnerability has a CVSS v3.1 base score of 10.0, indicating its critical severity. The number of victims and specific sectors targeted are unknown but could potentially affect any organization using a vulnerable version of AVideo.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade WWBN AVideo to a version containing the fix from commit c08694bf6264eb4decceb78c711baee2609b4efd to remediate CVE-2026-40911.</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the YPTSocket plugin.</li>
<li>Monitor web server logs for suspicious POST requests to WebSocket endpoints associated with the YPTSocket plugin, as these could indicate exploitation attempts (see example rule referencing category &quot;webserver&quot;).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>rce</category><category>websocket</category><category>cve-2026-40911</category></item></channel></rss>