External risk intelligence

WWBN AVideo flaw lets attackers steal accounts and sessions over the internet

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-40911

A critical flaw in WWBN AVideo lets anyone steal accounts and sessions by broadcasting malicious code to all users. This impacts internet-facing video platforms, making it easy for attackers to take over user accounts and run commands.

5Halo Surface Signal

Code Injection

Wwbn Avideo

29.0 and earlier

External exposure likelihood

Halo Surface Signal score for CVE-2026-40911

WWBN AVideo is a web-based video platform designed for content distribution to users over the internet. The affected WebSocket plugin is an integral component of this public-facing web application, making the service inherently internet-accessible as part of its standard deployment model for streaming or hosting video content.

PCI scan relevance

PCI Relevance for CVE-2026-40911

Yes

CVE-2026-40911 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in WWBN AVideo allows unauthenticated attackers to execute arbitrary JavaScript in users' browsers. This can lead to account takeover and session theft, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the WWBN AVideo platform allows an unauthenticated attacker to execute arbitrary JavaScript code in the browser of any connected user. This can lead to full account takeovers, session theft, and unauthorized actions performed on behalf of users, including administrators.

  • Affects all users, including administrators.
  • Enables universal account takeover.
  • Arbitrary code execution is possible.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can inject arbitrary JavaScript into a WWBN AVideo instance, which then broadcasts to all connected users. This allows the attacker to execute code within the browser context of every user, including administrators, enabling account takeover and privileged actions.

  • Target all connected users.
  • No authentication required.
  • Exploits `eval` sinks.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of all connected users, including administrators, leading to universal account takeover and session theft. The vulnerability stems from unsanitized input in a WebSocket plugin, directly feeding into `eval()` sinks on the client side. Attackers would likely find this attractive due to the broad impact and ease of exploitation against any user of an unpatched AVideo instance.

  • Exploitation is straightforward.
  • No authentication is required.
  • Universal session hijacking is possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating WWBN AVideo instances running version 29.0 or earlier due to critical remote code execution and account takeover risks. The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript on all connected clients.

  • Apply patch c08694bf6264eb4decceb78c711baee2609b4efd.
  • Isolate affected instances from network traffic.
  • Monitor for suspicious WebSocket activity.

Frequently asked questions

What is WWBN AVideo and what is it used for?

WWBN AVideo is an open-source video platform that allows users to host and distribute video content. It functions as a web-based application, making it accessible over the internet for streaming or sharing videos.

How does the CVE-2026-40911 vulnerability work?

This vulnerability is a cross-site scripting (XSS) weakness. It allows an attacker to send specially crafted messages through a WebSocket plugin. Because these messages are not properly checked for malicious code before being sent to other users' browsers, arbitrary JavaScript can be executed.

What are the conditions for an attacker to trigger this vulnerability?

An attacker does not need any special access or authentication to exploit this flaw. They can send a malicious JSON message to the platform's WebSocket server, which then relays the unsafe content to all connected clients.

Who should be concerned about CVE-2026-40911?

Organizations running WWBN AVideo, especially those with internet-facing instances, should be concerned. The Halo Surface Signal indicates this is a very likely threat because the platform is designed for public access and the vulnerability affects all connected users, including administrators.

What is the first step to address this threat?

The immediate first step is to apply the fix available through the commit c08694bf6264eb4decceb78c711baee2609b4efd to WWBN AVideo versions 29.0 and prior. If immediate patching isn't possible, isolating the affected instances from network traffic is recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified