CVE-2026-43876
Received Received - Intake
Stored XSS in WWBN AVideo via Email Template Injection

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML β€” phishing links, tracking pixels, CSS/UI spoofing β€” to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43876
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. It occurs because the application takes the raw message from a POST parameter and directly inserts it into an HTML email template without any sanitization, escaping, or encoding. Specifically, the message is passed into the sendSiteEmail() function and rendered with PHPMailer::msgHTML() without filtering attacker-controlled HTML content.

As a result, any authenticated user with upload permission can send arbitrary HTML contentβ€”such as phishing links, tracking pixels, or UI spoofing elementsβ€”to every subscriber on their channel, potentially up to 10,000 recipients per message. The emails appear to come from the platform's official contact address and include the site's logo and title, making the malicious content look like legitimate platform communication.

Impact Analysis

This vulnerability can have several impacts:

  • Phishing attacks: Attackers can send emails containing malicious links that appear to be from the official platform, tricking users into revealing sensitive information.
  • Privacy violations: Tracking pixels embedded in the emails can be used to monitor user behavior without consent.
  • User interface spoofing: Malicious HTML and CSS can be used to impersonate legitimate site elements, potentially misleading users.
  • Reputation damage: Since the emails come from the platform's official contact address and branding, the platform's reputation could be harmed if users receive malicious content.
  • Wide reach: The attacker can send these malicious emails to up to 10,000 subscribers per invocation, amplifying the impact.
Mitigation Strategies

To mitigate this vulnerability, you should update WWBN AVideo to a version later than 29.0 where the issue has been fixed.

The vulnerability arises because the message POST parameter is directly inserted into HTML emails without sanitization, allowing authenticated users with upload permission to send arbitrary HTML to subscribers.

Until you can update, consider restricting upload permissions to trusted users only and monitoring email content for suspicious HTML.

Compliance Impact

This vulnerability allows authenticated users with upload permission to send arbitrary HTML emails to up to 10,000 subscribers per invocation. These emails can include phishing links, tracking pixels, and UI spoofing, appearing as official platform communications.

Such unauthorized and potentially malicious email broadcasts could lead to violations of data protection and privacy regulations like GDPR and HIPAA, as they may expose users to phishing attacks and unauthorized tracking without their consent.

Therefore, the vulnerability poses a risk to compliance with standards that require protection of user data and prevention of unauthorized communications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart