CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
CVE-2026-43874: WWBN AVideo WebSocket Vulnerability Allows RCE

The National Vulnerability Database has disclosed CVE-2026-43874, a high-severity vulnerability (CVSS 7.2) affecting WWBN AVideo, an open-source video platform, in versions up to and including 29.0. This flaw stems from an incomplete server-side mitigation for a previous vulnerability, CVE-2026-40911. Specifically, a critical bypass exists in how the YPTSocket relay function msgToResourceId() processes messages.

An unauthenticated attacker can exploit this by obtaining a WebSocket token and sending a malicious message. The server’s intended sanitization logic, which strips payloads under $json['msg'], is skipped because the relay function prioritizes $msg['json']. This allows the attacker’s payload, containing autoEvalCodeOnHTML, to be delivered verbatim to any logged-in user identified by to_users_id, subsequently executing arbitrary code via eval() in the client script.

This is a direct remote code execution vector against client-side browsers of authenticated users, initiated by an unauthenticated actor. Defenders using WWBN AVideo should immediately apply the fix contained in commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce to prevent exploitation. The vulnerability is categorized under CWE-94 (Improper Control of Generation of Code (‘Code Injection’)).

What This Means For You

  • If your organization uses WWBN AVideo, this is a critical remote code execution vulnerability that an unauthenticated attacker can leverage. You need to identify all instances of AVideo in your environment and apply the patch from commit `9f3006f9a89a34daa67a83c6ad35f450cb91fcce` immediately. Failing to do so leaves your authenticated users vulnerable to client-side compromise.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-43874

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-43874
id: scw-2026-05-11-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-43874 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-43874/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-43874

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-43874 RCE WWBN AVideo versions up to and including 29.0
CVE-2026-43874 RCE Vulnerable component: YPTSocket autoEvalCodeOnHTML eval sink
CVE-2026-43874 RCE Attack vector: WebSocket token from plugin/YPTSocket/getWebSocket.json.php, sending message with autoEvalCodeOnHTML nested under a top-level json field
CVE-2026-43874 RCE Fix: Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 00:19 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8344 — Command Injection

CVE-2026-8344 — A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform/formDMZ.cgi. This manipulation...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-43893: ExifTool Argument Injection Threatens File Operations

CVE-2026-43893 — exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read...

vulnerabilityCVEhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Outline CVE-2026-43890: Authorization Bypass Exposes Documents

CVE-2026-43890 — Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 4 IOCs /⚙ 2 Sigma