Stored DOM Cross-Site Scripting Vulnerability in WWBN AVideo Platform
CVE-2026-54458
9.6CRITICAL
What is CVE-2026-54458?
WWBN AVideo, an open-source video platform, contains a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin prior to version 29.0. This flaw allows unauthenticated remote attackers to execute arbitrary JavaScript within the context of any administrator currently accessing the YPTSocket online-users debug panel. The vulnerability arises since a signed WebSocket token can be issued to any anonymous caller, failing to validate critical parameters that could lead to a full administrative takeover. Attackers can read sensitive non-HttpOnly cookies and exploit CSRF tokens to perform unauthorized actions or extract data from the admin dashboard. The exposed vulnerability has been remedied in subsequent patches.
Affected Version(s)
AVideo <= 29.0
