CVE-2026-43874 Overview
CVE-2026-43874 is a code injection vulnerability in WWBN AVideo, an open source video platform. The flaw affects versions up to and including 29.0 and resides in the YPTSocket plugin's WebSocket message relay logic. The previous patch for CVE-2026-40911 only sanitized payloads nested under $json['msg'], while the relay function msgToResourceId() reads the outbound message from $msg['json'] first. An unauthenticated attacker can obtain a WebSocket token, connect to the server, and deliver an autoEvalCodeOnHTML payload that any logged-in target executes through client-side eval(). The issue maps to CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers can deliver arbitrary JavaScript that executes in the browser session of any authenticated AVideo user, enabling account takeover and session theft.
Affected Products
- WWBN AVideo versions up to and including 29.0
- YPTSocket plugin component
- Deployments exposing plugin/YPTSocket/getWebSocket.json.php to untrusted networks
Discovery Timeline
- 2026-05-11 - CVE-2026-43874 published to NVD
- 2026-05-12 - Last updated in NVD database
- Fix committed in commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce
Technical Details for CVE-2026-43874
Vulnerability Analysis
The vulnerability is a server-side sanitization bypass that enables client-side code injection through a WebSocket relay. AVideo's YPTSocket plugin processes inbound WebSocket messages and forwards them to targeted users by user ID. A previous fix for CVE-2026-40911 introduced a strip branch that removes the autoEvalCodeOnHTML field from incoming payloads. The strip logic only inspects the msg key of the decoded JSON object.
The relay function msgToResourceId() prefers $msg['json'] over $msg['msg'] when constructing the outbound payload. Attackers exploit this ordering mismatch by nesting autoEvalCodeOnHTML inside the top-level json field. The sanitizer never inspects that path, so the payload reaches the recipient unchanged. The receiving client passes the value to eval(), executing attacker-controlled JavaScript in the authenticated user's browser context.
Root Cause
The root cause is inconsistent field selection between the sanitization routine and the relay routine. The strip function and the dispatch function disagree on which key holds the authoritative message body. This logic gap allows the attacker to place the dangerous field on a path the sanitizer ignores.
Attack Vector
The attack requires no authentication. An attacker fetches a valid WebSocket token from the public endpoint plugin/YPTSocket/getWebSocket.json.php. The attacker then opens a WebSocket connection to the server, supplies a to_users_id value identifying the target, and sends a JSON message with autoEvalCodeOnHTML nested under a top-level json field. The server relays the payload verbatim, and the target client evaluates the injected code on receipt. Refer to the GitHub Security Advisory GHSA-ghcv-22jf-vfxm for further technical context.
Detection Methods for CVE-2026-43874
Indicators of Compromise
- Unauthenticated requests to plugin/YPTSocket/getWebSocket.json.php followed by WebSocket connections from the same client.
- WebSocket frames containing the string autoEvalCodeOnHTML nested under a json key rather than msg.
- Unexpected outbound HTTP requests originating from authenticated user sessions shortly after WebSocket traffic.
Detection Strategies
- Inspect WebSocket payloads at the proxy or WAF layer for the literal autoEvalCodeOnHTML token outside expected field paths.
- Correlate token issuance from getWebSocket.json.php with the source IP of subsequent WebSocket frames to flag anonymous senders.
- Hunt web server access logs for clients pulling WebSocket tokens without prior session cookies or referer activity.
Monitoring Recommendations
- Enable verbose logging on the YPTSocket plugin to capture relayed message structure and to_users_id targeting patterns.
- Monitor authenticated user browsers for anomalous JavaScript execution, such as unexpected fetch() calls to admin endpoints.
- Alert on bursts of WebSocket messages addressed to high-privilege account IDs from a single source.
How to Mitigate CVE-2026-43874
Immediate Actions Required
- Upgrade AVideo to a build that includes commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce.
- Restrict network access to the WebSocket endpoint and plugin/YPTSocket/getWebSocket.json.php while patching is in progress.
- Force logout of active sessions after applying the patch to invalidate any pre-existing tokens.
Patch Information
The maintainers shipped an updated fix in commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce. The patch aligns the sanitization branch with the relay's field selection so the autoEvalCodeOnHTML payload is stripped regardless of whether it appears under msg or json. Administrators should rebuild and redeploy from the patched source tree or wait for an official release tag that supersedes 29.0.
Workarounds
- Disable the YPTSocket plugin if WebSocket-driven features are not required in production.
- Block external access to plugin/YPTSocket/getWebSocket.json.php at the reverse proxy until the patched commit is deployed.
- Add a WAF rule that drops WebSocket frames containing autoEvalCodeOnHTML anywhere in the payload.
# Example nginx rule blocking unauthenticated token issuance
location = /plugin/YPTSocket/getWebSocket.json.php {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
