CVE-2026-43876
Stored XSS in WWBN AVideo via Email Template Injection
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. It occurs because the application takes the raw message from a POST parameter and directly inserts it into an HTML email template without any sanitization, escaping, or encoding. Specifically, the message is passed into the sendSiteEmail() function and rendered with PHPMailer::msgHTML() without filtering attacker-controlled HTML content.
As a result, any authenticated user with upload permission can send arbitrary HTML contentβsuch as phishing links, tracking pixels, or UI spoofing elementsβto every subscriber on their channel, potentially up to 10,000 recipients per message. The emails appear to come from the platform's official contact address and include the site's logo and title, making the malicious content look like legitimate platform communication.
How can this vulnerability impact me? :
This vulnerability can have several impacts:
- Phishing attacks: Attackers can send emails containing malicious links that appear to be from the official platform, tricking users into revealing sensitive information.
- Privacy violations: Tracking pixels embedded in the emails can be used to monitor user behavior without consent.
- User interface spoofing: Malicious HTML and CSS can be used to impersonate legitimate site elements, potentially misleading users.
- Reputation damage: Since the emails come from the platform's official contact address and branding, the platform's reputation could be harmed if users receive malicious content.
- Wide reach: The attacker can send these malicious emails to up to 10,000 subscribers per invocation, amplifying the impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update WWBN AVideo to a version later than 29.0 where the issue has been fixed.
The vulnerability arises because the message POST parameter is directly inserted into HTML emails without sanitization, allowing authenticated users with upload permission to send arbitrary HTML to subscribers.
Until you can update, consider restricting upload permissions to trusted users only and monitoring email content for suspicious HTML.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with upload permission to send arbitrary HTML emails to up to 10,000 subscribers per invocation. These emails can include phishing links, tracking pixels, and UI spoofing, appearing as official platform communications.
Such unauthorized and potentially malicious email broadcasts could lead to violations of data protection and privacy regulations like GDPR and HIPAA, as they may expose users to phishing attacks and unauthorized tracking without their consent.
Therefore, the vulnerability poses a risk to compliance with standards that require protection of user data and prevention of unauthorized communications.