cbcvebase.
CVE-2026-49279
published 2026-06-04

CVE-2026-49279: WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) # AVideo: Stored XSS via `autoEvalCodeOnHTML`…

high7.2
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)

# AVideo: Stored XSS via `autoEvalCodeOnHTML` in MessageSQLite WebSocket Handler

## Summary

AVideo has a stored XSS vulnerability in the WebSocket messaging system. The `MessageSQLite.php` handler only strips `autoEvalCodeOnHTML` from `$json['msg']`, but `msgToResourceId()` reads from `$msg['json']` with higher priority. An attacker can place the XSS payload in the `json` key instead of `msg`, bypassing the sanitization entirely.


## Affected Versions

AVideo isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') {
if (is_array($json['msg'] ?? null)) {
unset($json['msg']['autoEvalCodeOnHTML']); // Only strips from $json['msg']
}
}
```

`plugin/YPTSocket/MessageSQLite.php` lines 361-367 — the bypass via `msgToResourceId()`:

```php
if (!empty($msg['json'])) {
$obj['msg'] = $msg['json']; // $msg['json']['autoEvalCodeOnHTML'] is NEVER stripped
} else if (!empty($msg['msg'])) {
$obj['msg'] = $msg['msg']; // Only this path was sanitized
} else {
$obj['msg'] = $msg;
}
```

Compare with the correctly patched `Message.php` (lines 254-256):

```php
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Strips from ALL nested paths
```

And `MessageSQLiteV2.php` (lines 302-303):

```php
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Same recursive fix
```

`MessageSQLite.php` does not call `removeAutoEvalCodeOnHTMLRecursive()` at all.

### Attack Chain

- Attacker sends a WebSocket message with `autoEvalCodeOnHTML` in the `json` key instead of `msg`
- The fix at line 268-271 only checks `$json['msg']` — the `json` key is untouched
- `msgToResourceId()` reads `$msg['json']` first (line 361) because `!empty($msg['json'])` is true
- The payload is delivered to the victim's WebSocket client and evaluated via `autoEvalCodeOnHTML`

## Proof of Concept

```javascript
// Connect to AVideo WebSocket as authenticated user
const ws = new WebSocket('wss://TARG

Affected

1 ranges
VendorProductVersion rangeFixed in
wwbnavideo0 – 29.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.