Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

/CRITICAL /CVSS 10/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-94
Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover

The National Vulnerability Database has disclosed CVE-2026-40911, a critical remote code execution vulnerability in WWBN AVideo, an open-source video platform. Affecting versions 29.0 and prior, this flaw stems from improper sanitization within the YPTSocket plugin’s WebSocket server. Specifically, attacker-supplied JSON message bodies containing unsanitized msg or callback fields are relayed to all connected clients.

Client-side JavaScript, located in plugin/YPTSocket/script.js, directly feeds these relayed fields into eval() sinks. This creates a severe client-side arbitrary JavaScript execution vulnerability. Since AVideo issues anonymous tokens that are never revalidated, an unauthenticated attacker can broadcast malicious JavaScript. This code executes within the origin of every currently connected user, including administrators.

The implications are catastrophic: universal account takeover, session theft, and arbitrary privileged action execution. The CVSS score is a perfect 10.0, highlighting the ease of exploitation and the devastating impact. A fix is available in commit c08694bf6264eb4decceb78c711baee2609b4efd. Organizations running AVideo must patch immediately.

What This Means For You

  • If your organization uses WWBN AVideo, you need to verify your version immediately. This isn't a theoretical flaw; it's an unauthenticated RCE leading to full account takeover. Patch to commit `c08694bf6264eb4decceb78c711baee2609b4efd` or later without delay. Assume compromise if you were running affected versions and audit all administrator and user sessions for suspicious activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 JavaScript Execution T1185 Browser Session Hijacking Credential Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

AVideo YPTSocket Plugin Unauthenticated RCE via eval() - CVE-2026-40911

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40911 Vulnerability CVE-2026-40911
CVE-2026-40911 Affected Product versions 29.0 and

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 22, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)

CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...

vulnerabilityCVEhigh-severitycwe-276
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Critical AVideo XSS Vulnerability Exposes Admin Settings

CVE-2026-40925 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site...

vulnerabilityCVEhigh-severitycwe-352
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 5 IOCs /⚙ 3 Sigma

CRITICAL SQLi in ElectricSQL: Full Database Compromise

CVE-2026-40906 — Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based...

vulnerabilityCVEcriticalhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /CRITICAL /9.9 /⚑ 4 IOCs /⚙ 3 Sigma