Remote Code Execution Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-43874

7.2HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43874?

AVideo, an open-source video platform by WWBN, is susceptible to a remote code execution vulnerability in versions up to and including 29.0. The issue arises from improper input validation in the YPTSocket autoEvalCodeOnHTML function. Specifically, when an unauthenticated attacker interacts with the server through a WebSocket connection, they can manipulate messages to bypass security measures. If the payload is nested under a top-level JSON field, the server fails to sanitize it, allowing the delivery of the potentially malicious code to logged-in users. Consequently, this could enable execution of arbitrary code on the client side. For a mitigation, users are advised to upgrade to the patched version as referenced in the GitHub commit.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-g...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/9f3006f9a89a34daa67...

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43874 Data

JSON

Wwbn

What is CVE-2026-43874?

Affected Version(s)

References

CVSS V3.1

Timeline