Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-54458— AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

CVSS 9.6 · Critical EPSS 0.30% · P22

Affected Version Matrix 1

VendorProductVersion RangeStatus
WWBNAVideo<= 29.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-54458

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. Versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. plugin/YPTSocket/getWebSocket.json.php issues a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen at plugin/YPTSocket/MessageSQLiteV2.php lines 91 and 110 reads the attacker-controlled webSocketSelfURI and page_title query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite connections table and broadcast inside the users_id_online array sent to every connected client; on the client, plugin/YPTSocket/script.js::updateSocketUserCard interpolates the broadcast page_title into an HTML template literal that is passed to jQuery $.append(html), which parses attacker bytes into live DOM nodes including <img> with inline event handlers. Successful attackers can can read non-HttpOnly cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation. When the victim is an AVideo administrator, the attacker turns a single anonymous WebSocket connection into full administrative takeover via the admin's own session. This issue has been patched by https://github.com/WWBN/AVideo/commit/8be71e53ccbe9b84b30870db386fb4d2b11e1c16.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN avideo是WWBN组织开源的一套视频内容管理系统。 WWBN AVideo 29.0之前版本存在跨站脚本漏洞,该漏洞源于YPTSocket plugin中的存储型DOM跨站脚本漏洞,未经验证的攻击者可通过WebSocket连接远程发起攻击,在管理员查看YPTSocket online-users调试面板时执行任意JavaScript,读取非HttpOnly cookie和CSRF令牌,并实现完全管理接管。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
WWBNAVideo <= 29.0 -

II. Public POCs for CVE-2026-54458

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-54458

登录查看更多情报信息。

Patches & Fixes for CVE-2026-54458 (1)

Vendor Advisories for CVE-2026-54458 (1)

Same Patch Batch · WWBN · 2026-07-15 · 5 CVEs total

CVE-2026-501826.1 MEDIUMAVideo Has Unauthenticated Reflected XSS via $_GET['search'] in YouTubeAPI Gallery Paginat
CVE-2026-336845.3 MEDIUMAVideo's Privilege AVideo: Escalation via Unguarded Permission Parameters in signUp API Al
CVE-2026-501834.7 MEDIUMWWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Secti
CVE-2026-49279WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (

IV. Related Vulnerabilities

V. Comments for CVE-2026-54458

No comments yet


Leave a comment