CVE-2026-49279
published 2026-06-04CVE-2026-49279: WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass) # AVideo: Stored XSS via `autoEvalCodeOnHTML`…
high7.2
WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)
# AVideo: Stored XSS via `autoEvalCodeOnHTML` in MessageSQLite WebSocket Handler
## Summary
AVideo has a stored XSS vulnerability in the WebSocket messaging system. The `MessageSQLite.php` handler only strips `autoEvalCodeOnHTML` from `$json['msg']`, but `msgToResourceId()` reads from `$msg['json']` with higher priority. An attacker can place the XSS payload in the `json` key instead of `msg`, bypassing the sanitization entirely.
## Affected Versions
AVideo isCommandLineInterface) && ($msgObj->sentFrom ?? '') !== 'php') {
if (is_array($json['msg'] ?? null)) {
unset($json['msg']['autoEvalCodeOnHTML']); // Only strips from $json['msg']
}
}
```
`plugin/YPTSocket/MessageSQLite.php` lines 361-367 — the bypass via `msgToResourceId()`:
```php
if (!empty($msg['json'])) {
$obj['msg'] = $msg['json']; // $msg['json']['autoEvalCodeOnHTML'] is NEVER stripped
} else if (!empty($msg['msg'])) {
$obj['msg'] = $msg['msg']; // Only this path was sanitized
} else {
$obj['msg'] = $msg;
}
```
Compare with the correctly patched `Message.php` (lines 254-256):
```php
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Strips from ALL nested paths
```
And `MessageSQLiteV2.php` (lines 302-303):
```php
$json = removeAutoEvalCodeOnHTMLRecursive($json); // Same recursive fix
```
`MessageSQLite.php` does not call `removeAutoEvalCodeOnHTMLRecursive()` at all.
### Attack Chain
- Attacker sends a WebSocket message with `autoEvalCodeOnHTML` in the `json` key instead of `msg`
- The fix at line 268-271 only checks `$json['msg']` — the `json` key is untouched
- `msgToResourceId()` reads `$msg['json']` first (line 361) because `!empty($msg['json'])` is true
- The payload is delivered to the victim's WebSocket client and evaluated via `autoEvalCodeOnHTML`
## Proof of Concept
```javascript
// Connect to AVideo WebSocket as authenticated user
const ws = new WebSocket('wss://TARGAffected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | 0 – 29.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published