CVE-2026-40911

CriticalPublic PoCRCE

Published: 21 April 2026

Published

21 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0029 52.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40911 is a critical-severity Code Injection (CWE-94) vulnerability in Wwbn Avideo. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of attacker-supplied JSON `msg` and `callback` fields on the WebSocket server before relaying to prevent code injection.

SI-15 Information Output Filtering good match

prevent

Mandates filtering of relayed JSON messages to clients to block malicious content from reaching the client-side `eval()` sinks.

SC-18 Mobile Code good match

prevent

Restricts execution of arbitrary JavaScript mobile code delivered via unsanitized WebSocket broadcasts to connected clients.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated exploitation of a public-facing WebSocket server (T1190) to inject and execute arbitrary JavaScript in connected clients' browsers via eval sinks (T1059.007), enabling account takeover and session theft.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, `plugin/YPTSocket/script.js` contains…

two `eval()` sinks fed directly by those relayed fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Deeper analysisAI

CVE-2026-40911 is a critical code injection vulnerability (CWE-94) affecting WWBN AVideo, an open source video platform, in versions 29.0 and prior. The issue resides in the YPTSocket plugin's WebSocket server, which relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the client side, the file `plugin/YPTSocket/script.js` contains two `eval()` sinks directly processing these fields (`json.msg.autoEvalCodeOnHTML` at line 568 and `json.callback` at line 95), enabling arbitrary JavaScript execution within the origin of connected users.

An unauthenticated attacker can exploit this vulnerability due to tokens being minted for anonymous visitors without revalidation beyond decryption. By connecting to the WebSocket server and sending a crafted JSON message, the attacker broadcasts malicious JavaScript that executes immediately in the browsers of all currently connected clients, including administrators. This results in universal account takeover, session theft, and execution of privileged actions across all victims.

Mitigation is provided in commit c08694bf6264eb4decceb78c711baee2609b4efd, which addresses the unsanitized relaying and eval sinks. The GitHub Security Advisory GHSA-gph2-j4c9-vhhr details the issue and recommends updating to the patched version.

Details

CWE(s): CWE-94

Affected Products

wwbn

avideo

≤ 29.0

CVEs Like This One

CVE-2026-33479Same product: Wwbn Avideo

CVE-2026-33716Same product: Wwbn Avideo

CVE-2026-41055Same product: Wwbn Avideo

CVE-2026-28501Same product: Wwbn Avideo

CVE-2026-41057Same product: Wwbn Avideo

CVE-2026-33770Same product: Wwbn Avideo

CVE-2026-40925Same product: Wwbn Avideo

CVE-2026-41056Same product: Wwbn Avideo

CVE-2026-33513Same product: Wwbn Avideo

CVE-2026-33292Same product: Wwbn Avideo

References

https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0