CVE-2026-43876 Overview
CVE-2026-43876 is a stored HTML injection vulnerability [CWE-79] in WWBN AVideo, an open source video platform. The flaw resides in objects/notifySubscribers.json.php, which accepts the message POST parameter and passes it unsanitized to sendSiteEmail(). The function injects the value into an HTML email template through str_replace on the {message} placeholder and renders it with PHPMailer::msgHTML(). Any authenticated user with upload permission can broadcast arbitrary HTML — including phishing links, tracking pixels, and CSS-based UI spoofing — to every channel subscriber, up to 10,000 recipients per request. The emails arrive from the platform's official contact address with branded styling, granting attacker content the appearance of legitimate platform communication.
Critical Impact
Authenticated channel owners can deliver attacker-controlled HTML inside branded, platform-signed notification emails to up to 10,000 subscribers per invocation, enabling large-scale phishing campaigns.
Affected Products
- WWBN AVideo versions up to and including 29.0
- objects/notifySubscribers.json.php endpoint
- Sites using the default subscriber notification workflow
Discovery Timeline
- 2026-05-11 - CVE-2026-43876 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-43876
Vulnerability Analysis
The vulnerable endpoint objects/notifySubscribers.json.php reads the raw message POST parameter and assigns it directly to the $message variable. That value is then forwarded to sendSiteEmail(), which performs a literal str_replace of the {message} placeholder inside a pre-built HTML template. The composed document is then rendered by PHPMailer::msgHTML(), which treats the entire payload as HTML.
No sanitization layer sits between user input and the rendered email. The endpoint does not call htmlspecialchars, strip_tags, or the project's existing xss_esc helper before substitution. As a result, attacker markup — anchors, images, inline styles, and tracking pixels — is preserved verbatim in outbound mail.
Because the message is wrapped in the configured site logo, title, and From: address, recipient mail clients display the message as an official platform notification. The volume cap of 10,000 recipients per call turns a single authenticated request into a mass-distribution channel.
Root Cause
The root cause is missing output encoding on attacker-controlled input embedded in an HTML email body. The platform's xss_esc() and nl2br() helpers were not invoked on $_POST['message'] before template interpolation. The pipeline assumes trusted plain-text content but delivers it through an HTML renderer.
Attack Vector
Exploitation requires an authenticated account with upload permission on the AVideo instance. The attacker submits a crafted POST request to notifySubscribers.json.php with HTML-bearing content in the message field. The server then mails the rendered HTML to every subscriber of the attacker's channel, leveraging the platform's outbound reputation and branding.
// Patch from objects/notifySubscribers.json.php
$subject = 'Message From Site ' . $config->getWebSiteTitle();
-$message = $_POST['message'];
+$message = (string)($_POST['message'] ?? '');
+// Notifications must be plain text to avoid arbitrary HTML in branded emails.
+$message = nl2br(xss_esc($message));
$resp = sendSiteEmail($to, $subject, $message);
Source: WWBN AVideo commit 078c4342. The fix coerces the input to a string, applies the project's xss_esc() HTML-escape helper, and converts newlines with nl2br() so notifications stay plain text inside the branded template.
Detection Methods for CVE-2026-43876
Indicators of Compromise
- Outbound emails from the configured site contact address containing unexpected <a>, <img>, or <style> tags inside the {message} block.
- Spikes in calls to objects/notifySubscribers.json.php from a single authenticated session, especially with large message payloads.
- Subscriber reports of branded notification emails containing external links to credential-collection or impersonation pages.
Detection Strategies
- Inspect web access logs for POST requests to notifySubscribers.json.php and flag bodies whose message parameter contains HTML tag patterns such as <a , <img , <script, or href=.
- Compare outbound mail volume against historical baselines per channel owner to surface broadcasts that approach the 10,000-recipient ceiling.
- Correlate authenticated upload-permission accounts with sudden notification activity to identify abused or newly created accounts.
Monitoring Recommendations
- Forward AVideo PHP and web server logs to a centralized analytics platform and alert on the notifySubscribers.json.php endpoint.
- Mirror outbound SMTP traffic from the AVideo host through a content inspection gateway to identify HTML payloads in notification templates.
- Track creation and permission changes for accounts granted upload rights, since this is the minimum privilege needed for exploitation.
How to Mitigate CVE-2026-43876
Immediate Actions Required
- Upgrade WWBN AVideo to the version containing commit 078c4342eb9969a70425a9cdca3eefa7f8a86d53 or later.
- Audit recent invocations of notifySubscribers.json.php and notify subscribers if malicious HTML was distributed.
- Review and restrict upload permissions to trusted accounts until the patch is deployed.
Patch Information
The maintainers fixed the issue by sanitizing the message parameter before passing it to sendSiteEmail(). The patched code casts the input to a string, runs it through xss_esc() for HTML escaping, and applies nl2br() to preserve line breaks. Details are available in the GitHub Security Advisory GHSA-g9cm-rxp7-6gv5 and the upstream commit.
Workarounds
- Temporarily disable the subscriber notification feature by restricting access to objects/notifySubscribers.json.php at the web server layer.
- Apply a WAF rule that rejects POST requests to the endpoint when the message body contains HTML tag characters.
- Revoke upload permission from non-essential accounts until the patched release is installed.
# Example nginx rule to block HTML payloads to the vulnerable endpoint
location = /objects/notifySubscribers.json.php {
if ($request_method = POST) {
if ($request_body ~* "<[a-z!/]") { return 403; }
}
proxy_pass http://avideo_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
