CVE-2026-40911 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: April 21, 2026
WWBN AVideo - Stored XSS
Overview
WWBN AVideo <= 29.0 contains a stored XSS caused by unsanitized attacker-supplied JSON fields relayed via YPTSocket plugin's WebSocket server, letting unauthenticated attackers execute arbitrary JavaScript in all connected clients, exploit requires no authentication.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary JavaScript in all connected clients, leading to account takeover, session theft, and privileged action execution.
Mitigation
Update to the version including commit c08694bf6264eb4decceb78c711baee2609b4efd or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-40911 - Critical (10) WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the clie... š https://www.thehackerwire.com/vulnerability/CVE-2026-40911/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-40911 - Critical (10) WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the clie... š https://www.thehackerwire.com/vulnerability/CVE-2026-40911/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40911
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H