CRITICAL: CVE-2026-40911 (CVSS 10) — wwbn avideo

CVE: CVE-2026-40911

CVSS: 10 (3.1) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: CRITICAL

Status: Critical advisory

Affected

wwbn avideo

Summary

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval() sinks fed directly by those relayed fields (json.msg.autoEvalCodeOnHTML at line 568 and json.callback at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution. Commit c08694bf6264eb4decceb78c711baee2609b4efd contains a fix.

Verified Sources

References

https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decceb78c711baee2609b4efd
https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr
https://github.com/WWBN/AVideo/security/advisories/GHSA-gph2-j4c9-vhhr

_Validated by the Lyrie Threat Intelligence Pipeline — 3 independent sources confirmed before publication. No speculation._

Lyrie Verdict

A vulnerability of this severity is exactly what Lyrie's anti-rogue-AI defense is built for: continuous, autonomous monitoring that doesn't wait for human reaction time.

#wwbn #critical