Remote Code Execution in WWBN AVideo YPTSocket Plugin
CVE-2026-40911

10CRITICAL

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40911?

The YPTSocket plugin for the AVideo platform is susceptible to a significant vulnerability that allows unauthorized attackers to send malicious JavaScript to all connected clients, including administrators. This occurs due to the WebSocket server relaying unsanitized JSON message bodies and utilizing eval() functions without proper validation. Because the system enables token generation for anonymous users without subsequent revalidation, attackers can exploit this flaw to execute arbitrary code, leading to potentially severe ramifications such as account takeovers, session theft, and unauthorized access to privileged actions. A patch addressing this vulnerability has been implemented in a recent commit.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-g...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/c08694bf6264eb4decc...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40911 Data

JSON

Wwbn

What is CVE-2026-40911?

Affected Version(s)

References

CVSS V3.1

Timeline