AVideo unauthenticated XSS takeover (CVE-2026-40911)

Patch now - CVE-2026-40911 is a critical unauthenticated cross-site scripting (XSS) vulnerability in WWBN AVideo versions 29.0 and prior that lets attackers execute arbitrary JavaScript in the browsers of all connected users, including administrators, to steal session tokens and perform privileged actions. Apply the patched commit immediately to block exploitation.

Overview

WWBN AVideo versions 29.0 and prior contain a critical vulnerability in the YPTSocket plugin that allows unauthenticated attackers to execute arbitrary JavaScript in the browsers of all connected users, including administrators. The flaw carries a CVSS score of 10.0 due to its network-based attack vector, low complexity, and zero authentication or user interaction requirements.

Vulnerability Details

The YPTSocket plugin’s WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval() sinks at line 568 (json.msg.autoEvalCodeOnHTML) and line 95 (json.callback). These sinks are directly fed by the unsanitized fields.

Because the system issues tokens to anonymous visitors and only validates them through decryption without re-authentication, an attacker can broadcast malicious JavaScript to all active sessions. This executes in the origin of the AVideo instance, bypassing same-origin policy protections.

Impact

An unauthenticated attacker can:

• Execute arbitrary JavaScript in the context of every connected user, including administrators
• Steal session tokens and cookies, leading to account takeover
• Perform privileged actions on behalf of administrators, such as modifying site configuration, deleting content, or accessing private data
• Potentially pivot to server-side attacks through XSS-based exploitation

The attack requires no user interaction and no prior authentication. Any user viewing an AVideo page with the YPTSocket plugin active is vulnerable.

Affected Versions

All WWBN AVideo versions 29.0 and earlier are affected. The vulnerability is patched in commit c08694bf6264eb4decceb78c711baee2609b4efd.

Remediation

1. Update immediately: Apply the fix by updating to a version that includes commit c08694bf6264eb4decceb78c711baee2609b4efd, or manually apply the patch to your installation.
2. Restrict network access: Limit WebSocket port exposure to trusted networks until the update is applied.
3. Monitor for unusual activity: Review WebSocket logs for unexpected message patterns and examine browser console errors for signs of exploitation.
4. Reset all sessions: After patching, force all users to re-authenticate by invalidating existing session tokens.

For organizations managing sensitive data on AVideo, consider temporary access restrictions while patching.

Security Insight

This vulnerability exemplifies the danger of combining server-side message relay with client-side eval() - a pattern that has caused similar critical issues in products like Apache ActiveMQ and various WebSocket implementations. The failure to revalidate anonymous tokens after initial issuance indicates a systemic trust model weakness that should prompt a broader security audit of AVideo’s authentication and authorization flows. Vendors relying on client-side execution for real-time features must enforce strict input sanitization and avoid dynamic code execution entirely.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs