CVE-2026-49279
Received Received - Intake

Stored XSS in WWBN AVideo via WebSocket Message Handler

Vulnerability report for CVE-2026-49279, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely. An authenticated attacker can execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system, stealing session cookies and authentication tokens, taking over accounts through session hijacking, and chaining with CSRF to perform admin actions on the victim's behalf, in the default SQLite WebSocket backend configuration. This issue has a patch that has yet to be officially released, see https://github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 30.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a Stored Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions 29.0 and below. It occurs through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The vulnerability allows an attacker to bypass input sanitization by placing an XSS payload in the json key instead of the msg key. This enables execution of arbitrary JavaScript in the browsers of connected users.

Impact Analysis

An authenticated attacker can steal session cookies and authentication tokens, hijack user accounts, and perform actions on behalf of victims. This includes taking over accounts and chaining with CSRF to perform admin actions if the SQLite WebSocket backend is in default configuration.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating confidentiality requirements in GDPR and HIPAA. It may result in data breaches, non-compliance with data protection obligations, and potential legal consequences for organizations.

Detection Guidance

Detecting this vulnerability requires checking for the presence of the autoEvalCodeOnHTML parameter in WebSocket messages. Monitor WebSocket traffic for messages containing json keys with XSS payloads. Use network sniffing tools like Wireshark or tcpdump to capture WebSocket frames and inspect for suspicious payloads in the json field.

Mitigation Strategies

Apply the patch from the provided commit link immediately. Until then, disable the SQLite WebSocket backend if possible. Restrict WebSocket message handling to sanitize json fields, not just msg. Implement strict input validation for all WebSocket messages and monitor for unusual activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart