CVE-2026-54458
Received Received - Intake

Stored DOM XSS in AVideo YPTSocket Plugin

Vulnerability report for CVE-2026-54458, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. plugin/YPTSocket/getWebSocket.json.php issues a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen at plugin/YPTSocket/MessageSQLiteV2.php lines 91 and 110 reads the attacker-controlled webSocketSelfURI and page_title query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite connections table and broadcast inside the users_id_online array sent to every connected client; on the client, plugin/YPTSocket/script.js::updateSocketUserCard interpolates the broadcast page_title into an HTML template literal that is passed to jQuery $.append(html), which parses attacker bytes into live DOM nodes including <img> with inline event handlers. Successful attackers can can read non-HttpOnly cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation. When the victim is an AVideo administrator, the attacker turns a single anonymous WebSocket connection into full administrative takeover via the admin's own session. This issue has been patched by https://github.com/WWBN/AVideo/commit/8be71e53ccbe9b84b30870db386fb4d2b11e1c16.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a stored DOM Cross-Site Scripting (XSS) vulnerability in WWBN AVideo versions before 29.0. It allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser of any administrator viewing a page with the YPTSocket online-users debug panel. The attack exploits improper validation of WebSocket token parameters, which are then interpolated into HTML and rendered as live DOM nodes.

Impact Analysis

If you are an AVideo administrator, an attacker could take over your session by reading cookies, CSRF tokens, and exfiltrating the admin dashboard. They can then issue authenticated requests to admin-only endpoints and perform administrative actions. Even non-admin users may have their sessions compromised if they view affected pages.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles and HIPAA's security requirements. It enables attackers to exfiltrate admin dashboard content, which may contain personal or protected health information, leading to compliance breaches and potential legal consequences.

Detection Guidance

This vulnerability can be detected by checking for unauthenticated WebSocket connections to the YPTSocket plugin and inspecting the debug panel output for suspicious JavaScript execution. Look for connections to plugin/YPTSocket/getWebSocket.json.php with parameters like webSocketSelfURI and page_title containing executable code.

Mitigation Strategies

Upgrade AVideo to version 29.0 or later to apply the patch. If immediate upgrade is not possible, disable the YPTSocket plugin or restrict access to plugin/YPTSocket/getWebSocket.json.php via server configuration to prevent unauthenticated access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart