CVE-2026-54458

WWBN · AVideo

A stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin of AVideo allows unauthenticated attackers to hijack administrative sessions via malicious WebSocket parameters.

Executive summary

An unauthenticated remote attacker can achieve full administrative takeover of the WWBN AVideo platform by exploiting a stored DOM Cross-Site Scripting vulnerability to hijack active sessions.

Vulnerability

The vulnerability stems from improper neutralization of input within the YPTSocket plugin, which processes attacker-controlled WebSocket parameters without validation. This allows an unauthenticated attacker to inject malicious JavaScript that executes within the context of an administrator session.

Business impact

The CVSS score of 9.6 highlights the critical risk of this vulnerability. Successful exploitation grants an attacker full control over the video platform, enabling data exfiltration, unauthorized modification of content, and potential lateral movement within the network. This represents a complete compromise of the platform's integrity and confidentiality.

Remediation

Immediate Action: Update the WWBN AVideo platform to the latest version, which includes the fix provided in the referenced commit.

Proactive Monitoring: Review web server and application logs for suspicious WebSocket connection requests or anomalies in the YPTSocket plugin traffic.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect and block malicious input in WebSocket parameters that may attempt to inject unauthorized scripts.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the potential for complete administrative compromise, organizations using AVideo must treat this as a high-priority update. Upgrading to the latest version is the only effective way to neutralize this cross-site scripting risk and prevent unauthorized access to sensitive administrative dashboards.