CVE-2026-43874: CWE-94: Improper Control of Generation of Code ('Code Injection') in WWBN AVideo
CVE-2026-43874 is a high-severity code injection vulnerability in WWBN AVideo versions up to and including 29. 0. It arises because the server-side mitigation for a previous vulnerability (CVE-2026-40911) only strips malicious payloads under a specific JSON field ($json['msg']), but the actual message relay function uses a different JSON path ($msg['json']). This discrepancy allows an unauthenticated attacker to obtain a WebSocket token, connect to the WebSocket server, and send a crafted message that bypasses the stripping mechanism. The malicious payload is then delivered verbatim to logged-in users and executed client-side via eval(), leading to code injection. A fix has been committed but no official patch or vendor advisory is currently provided.
AI Analysis
Technical Summary
WWBN AVideo versions up to 29.0 contain a code injection vulnerability (CWE-94) due to improper control of code generation in the WebSocket message handling. The mitigation for the YPTSocket autoEvalCodeOnHTML eval sink only removes payloads under $json['msg'], but the relay function msgToResourceId() selects messages from $msg['json'], allowing crafted payloads to bypass filtering. An unauthenticated attacker can retrieve a WebSocket token, connect to the WebSocket server, and send malicious code nested under a top-level json field. This payload is relayed without stripping to logged-in users identified by to_users_id, where client-side eval() executes it. A commit (9f3006f9a89a34daa67a83c6ad35f450cb91fcce) contains an updated fix, but no official patch or advisory is documented.
Potential Impact
An unauthenticated attacker can inject and execute arbitrary code in the context of logged-in users via the WebSocket interface. This can lead to partial confidentiality and integrity loss (CVSS impact: C:L/I:L/A:N). The vulnerability allows code execution on client browsers of authenticated users, potentially enabling further attacks such as session hijacking or data manipulation. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — no official vendor advisory or patch link is provided. A code fix has been committed in the source repository (commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce) that addresses the issue. Users should monitor the vendor's official channels for an official patch or update and apply it promptly once available. Until then, consider restricting access to the WebSocket endpoint or implementing additional filtering controls if feasible.
CVE-2026-43874: CWE-94: Improper Control of Generation of Code ('Code Injection') in WWBN AVideo
Description
CVE-2026-43874 is a high-severity code injection vulnerability in WWBN AVideo versions up to and including 29. 0. It arises because the server-side mitigation for a previous vulnerability (CVE-2026-40911) only strips malicious payloads under a specific JSON field ($json['msg']), but the actual message relay function uses a different JSON path ($msg['json']). This discrepancy allows an unauthenticated attacker to obtain a WebSocket token, connect to the WebSocket server, and send a crafted message that bypasses the stripping mechanism. The malicious payload is then delivered verbatim to logged-in users and executed client-side via eval(), leading to code injection. A fix has been committed but no official patch or vendor advisory is currently provided.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions up to 29.0 contain a code injection vulnerability (CWE-94) due to improper control of code generation in the WebSocket message handling. The mitigation for the YPTSocket autoEvalCodeOnHTML eval sink only removes payloads under $json['msg'], but the relay function msgToResourceId() selects messages from $msg['json'], allowing crafted payloads to bypass filtering. An unauthenticated attacker can retrieve a WebSocket token, connect to the WebSocket server, and send malicious code nested under a top-level json field. This payload is relayed without stripping to logged-in users identified by to_users_id, where client-side eval() executes it. A commit (9f3006f9a89a34daa67a83c6ad35f450cb91fcce) contains an updated fix, but no official patch or advisory is documented.
Potential Impact
An unauthenticated attacker can inject and execute arbitrary code in the context of logged-in users via the WebSocket interface. This can lead to partial confidentiality and integrity loss (CVSS impact: C:L/I:L/A:N). The vulnerability allows code execution on client browsers of authenticated users, potentially enabling further attacks such as session hijacking or data manipulation. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — no official vendor advisory or patch link is provided. A code fix has been committed in the source repository (commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce) that addresses the issue. Users should monitor the vendor's official channels for an official patch or update and apply it promptly once available. Until then, consider restricting access to the WebSocket endpoint or implementing additional filtering controls if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T15:17:09.329Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028779cbff5d86108b8099
Added to database: 5/12/2026, 1:50:49 AM
Last enriched: 5/12/2026, 2:07:59 AM
Last updated: 5/12/2026, 3:04:23 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.