CVE-2026-49279 in AVideo
Summary
by MITRE • 07/16/2026
WWBN AVideo is an open source video platform. Versions 29.0 and below contain a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely. An authenticated attacker can execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system, stealing session cookies and authentication tokens, taking over accounts through session hijacking, and chaining with CSRF to perform admin actions on the victim's behalf, in the default SQLite WebSocket backend configuration. This issue has a patch that has yet to be officially released, see https://github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability exists within the AVideo platform's WebSocket messaging system where a stored cross-site scripting flaw has been identified in versions 29.0 and below. This issue stems from improper input sanitization mechanisms within the MessageSQLite WebSocket Handler component, specifically targeting the autoEvalCodeOnHTML parameter. The security flaw arises from a critical inconsistency in how the system processes incoming message data, creating an exploitable condition that allows attackers to bypass existing security controls.
The technical implementation of this vulnerability demonstrates a classic case of improper input validation where the sanitization routine only targets the msg key within the JSON structure but fails to adequately process the json key which takes precedence during message processing. The msgToResourceId() function reads from $msg['json'] with higher priority than the sanitized $json['msg'] value, creating an exploitable gap in the security controls. This design flaw allows malicious actors to place their XSS payloads directly within the json field rather than the msg field where sanitization occurs.
The operational impact of this vulnerability is severe and multifaceted for authenticated attackers who can leverage this weakness to execute arbitrary JavaScript code within any connected user's browser session. The consequences include complete session hijacking through cookie theft, authentication token extraction, and unauthorized account takeover capabilities. Attackers can chain this vulnerability with CSRF attacks to perform administrative actions on behalf of victims, effectively enabling full compromise of the platform's user base. This represents a critical risk in environments where multiple users maintain active WebSocket connections.
Security mitigations for this vulnerability should focus on implementing comprehensive input sanitization across all message fields, ensuring that both msg and json parameters undergo identical security validation processes. The patch referenced in the GitHub commit 3e0b3ce2bfa766183ff0ae227439394db57b1a23 addresses this by enforcing consistent sanitization across all message parameters regardless of their position within the JSON structure. Organizations should also consider implementing Content Security Policy headers and monitoring WebSocket traffic for suspicious patterns, aligning with CWE-79 principles for cross-site scripting prevention and ATT&CK technique T1059.007 for client-side code execution.