CVE-2026-40911 Overview
CVE-2026-40911 is a critical Code Injection vulnerability affecting WWBN AVideo, an open source video platform. The YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the msg or callback fields. On the client side, plugin/YPTSocket/script.js contains two eval() sinks fed directly by those relayed fields (json.msg.autoEvalCodeOnHTML at line 568 and json.callback at line 95). Because tokens are minted for anonymous visitors and never revalidated beyond decryption, an unauthenticated attacker can broadcast arbitrary JavaScript that executes in the origin of every currently-connected user (including administrators), resulting in universal account takeover, session theft, and privileged action execution.
Critical Impact
Unauthenticated attackers can inject and execute arbitrary JavaScript in the browsers of all connected users, including administrators, enabling universal account takeover and session hijacking.
Affected Products
- WWBN AVideo version 29.0 and prior
- YPTSocket plugin for AVideo
- All AVideo deployments using the WebSocket functionality
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40911 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40911
Vulnerability Analysis
This vulnerability is classified under CWE-94 (Improper Control of Generation of Code - Code Injection). The vulnerability stems from the YPTSocket plugin's failure to sanitize user-controlled data before relaying it through WebSocket connections and subsequently evaluating it on the client side.
The attack surface is particularly severe because it affects all connected users simultaneously. When an attacker sends a malicious WebSocket message containing crafted msg.autoEvalCodeOnHTML or callback fields, the server blindly relays this payload to every connected client. The client-side JavaScript then passes these unsanitized values directly to eval() functions, executing arbitrary attacker-controlled code within the user's browser session.
The lack of proper token revalidation beyond initial decryption means anonymous visitors can obtain valid tokens and participate in WebSocket communications without any authentication barrier, making this vulnerability exploitable by completely unauthenticated attackers.
Root Cause
The root cause is twofold: server-side input validation failure combined with dangerous client-side code execution patterns. The WebSocket server in the YPTSocket plugin does not distinguish between legitimate server-generated messages and attacker-supplied messages from browser clients. Additionally, the client-side JavaScript uses eval() to execute data received from the WebSocket without any sanitization, creating a direct code injection vector.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can:
- Connect to the AVideo WebSocket server as an anonymous visitor
- Obtain a valid token (minted automatically for anonymous users)
- Craft a malicious JSON message with code injection payloads in the msg.autoEvalCodeOnHTML or callback fields
- Send this message through the WebSocket connection
- The server relays the message to all connected clients
- Each client's browser executes the malicious JavaScript via eval()
The fix implemented in commit c08694bf6264eb4decceb78c711baee2609b4efd addresses this by sanitizing the dangerous fields:
if (isset($json['from_identification'])) {
$json['from_identification'] = strip_tags((string)($msgObj->user_name ?? ''));
}
+ // Strip eval-able fields from browser/guest messages.
+ // autoEvalCodeOnHTML is a server-to-client feature (e.g. Live/getImage.php);
+ // browser clients must not inject it into broadcasts.
+ // callback must be a valid JS identifier to prevent eval injection on clients.
+ if (empty($msgObj->isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') {
+ if (is_array($json['msg'] ?? null)) {
+ unset($json['msg']['autoEvalCodeOnHTML']);
+ }
+ if (isset($json['callback']) && !preg_match('/^[a-zA-Z_][a-zA-Z0-9_]*$/', (string)$json['callback'])) {
+ unset($json['callback']);
+ }
+ }
if (!empty($msgObj->send_to_uri_pattern)) {
$this->msgToSelfURI($json, $msgObj->send_to_uri_pattern);
} else if (!empty($json['resourceId'])) {
Source: GitHub Commit
Detection Methods for CVE-2026-40911
Indicators of Compromise
- WebSocket messages containing autoEvalCodeOnHTML fields from non-server sources
- Malformed or suspicious callback values that do not match the pattern ^[a-zA-Z_][a-zA-Z0-9_]*$
- Unexpected JavaScript execution errors in browser consoles related to WebSocket message handling
- Session cookies or tokens being transmitted to external domains
Detection Strategies
- Monitor WebSocket traffic for JSON messages containing autoEvalCodeOnHTML or suspicious callback field patterns
- Implement Web Application Firewall (WAF) rules to detect and block WebSocket messages with embedded JavaScript code
- Review server logs for unusual WebSocket connection patterns from anonymous users
- Deploy browser-side Content Security Policy (CSP) headers to restrict eval() execution
Monitoring Recommendations
- Enable verbose logging on the YPTSocket WebSocket server to capture all message payloads
- Set up alerts for rapid succession of WebSocket connections from single IP addresses
- Monitor for unexpected cross-origin requests originating from authenticated user sessions
- Implement real-time WebSocket message inspection for potential injection payloads
How to Mitigate CVE-2026-40911
Immediate Actions Required
- Update WWBN AVideo to a version containing the security fix (commit c08694bf6264eb4decceb78c711baee2609b4efd or later)
- Review active sessions for any signs of compromise or unauthorized access
- Temporarily disable the YPTSocket plugin if immediate patching is not possible
- Force re-authentication for all users, especially administrator accounts
Patch Information
The vulnerability has been fixed in commit c08694bf6264eb4decceb78c711baee2609b4efd. The patch implements server-side validation that strips dangerous autoEvalCodeOnHTML fields from browser/guest messages and validates that callback values conform to a safe JavaScript identifier pattern (^[a-zA-Z_][a-zA-Z0-9_]*$). For more details, see the GitHub Security Advisory and the commit details.
Workarounds
- Disable the YPTSocket plugin entirely until patching is possible
- Implement a reverse proxy or WAF rule to filter WebSocket messages containing autoEvalCodeOnHTML or malformed callback fields
- Restrict WebSocket connections to authenticated users only using network-level access controls
- Deploy strict Content Security Policy headers to prevent inline script execution
# Example: Disable YPTSocket plugin by renaming the plugin directory
mv /var/www/AVideo/plugin/YPTSocket /var/www/AVideo/plugin/YPTSocket.disabled
# Example: Apply restrictive CSP header in Apache
# Add to .htaccess or Apache configuration:
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
