Stored DOM Cross-Site Scripting Vulnerability in WWBN AVideo Platform
CVE-2026-54458

9.6CRITICAL

Key Information:

Vendor

Wwbn

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-54458?

WWBN AVideo, an open-source video platform, contains a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin prior to version 29.0. This flaw allows unauthenticated remote attackers to execute arbitrary JavaScript within the context of any administrator currently accessing the YPTSocket online-users debug panel. The vulnerability arises since a signed WebSocket token can be issued to any anonymous caller, failing to validate critical parameters that could lead to a full administrative takeover. Attackers can read sensitive non-HttpOnly cookies and exploit CSRF tokens to perform unauthorized actions or extract data from the admin dashboard. The exposed vulnerability has been remedied in subsequent patches.

Affected Version(s)

AVideo <= 29.0

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.