External risk intelligence

WWBN AVideo YPTSocket Plugin Stored XSS Allows Admin Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-54458

WWBN AVideo is an open-source video platform designed to be a public-facing web application. Since the vulnerability resides within a web-based plugin and is reachable via standard web requests to the platform, it is commonly deployed in internet-facing environments.

Cross-site Scripting

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the open-source WWBN AVideo platform could allow an unauthenticated attacker to execute malicious scripts within an administrator's session, potentially leading to a full administrative takeover. This occurs when specific parameters are mishandled in the YPTSocket plugin, enabling an attacker to inject code that compromises administrator actions. The main concern is confirming relevance and exposure to this type of web-based video platform.

  • Website plugin allows script injection.
  • High-impact threat to admin control.
  • Verify if this video platform is used.

Attack Path

How an attacker could exploit the issue

An attacker can begin by anonymously connecting to the platform and then send specially crafted data that targets the YPTSocket plugin. This data, when processed by administrators viewing a specific debug panel, can lead to the execution of arbitrary JavaScript within their browser sessions. This allows the attacker to hijack administrator sessions and perform actions with elevated privileges.

  • Unauthenticated remote access required.
  • Injects malicious JavaScript via WebSocket.
  • Full administrative takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary JavaScript in the browser of an administrator viewing a specific debug panel. When this panel is active, the attacker can control specific parameters that are then rendered into the administrator's dashboard, potentially leading to administrative takeover.

  • Admin session tokens and cookies at risk.
  • Attacker injects script via WebSocket parameters.
  • Full administrative takeover of the platform.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this stored DOM Cross-Site Scripting vulnerability within the YPTSocket plugin. The first practical step is to identify all instances of the affected video platform, determine their reachability and business criticality, and then locate the accountable owner to plan remediation based on assessed risk.

  • Application owners should manage the issue.
  • Verify plugin reachability and administrator exposure.
  • Plan AVideo updates during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is WWBN AVideo?

WWBN AVideo is an open-source platform used for hosting, managing, and streaming video content online. It provides a comprehensive suite of tools for video distribution and includes various plugins, such as YPTSocket, to extend its functionality, for instance by providing real-time communication features or monitoring debug panels for site administrators.

How does CVE-2026-54458 work?

This vulnerability is a stored DOM Cross-Site Scripting (XSS) issue categorized under CWE-79. It occurs because the YPTSocket plugin fails to validate input from WebSocket connection parameters. This allows an attacker to inject malicious JavaScript, which is then stored by the server and executed within the browser of any administrator who views the affected YPTSocket online-users debug panel.

What must an attacker do to trigger this bug?

An attacker initiates the process by making an anonymous WebSocket connection to the platform and sending crafted parameters, specifically 'webSocketSelfURI' and 'page_title'. The vulnerability is not triggered by standard site navigation or by users who do not hold administrative privileges, as the malicious code only executes when an administrator views the specific debug panel where the payload is rendered.

Is my instance of AVideo at risk?

According to Halo Surface Signal, AVideo is typically deployed as a public-facing web application, making instances reachable via the internet highly accessible to remote attackers. Because this flaw requires no authentication to initiate, any internet-facing AVideo site running an affected version is at potential risk if an administrator accesses the vulnerable debug panel.

What are the first steps to address this?

First, verify which versions of AVideo are running in your environment. Since this flaw has been addressed by the vendor, the most effective step is to apply the provided security update. If you cannot update immediately, restrict access to administrative dashboards and monitor the usage of the YPTSocket plugin to reduce the likelihood of an administrator encountering the malicious payload.

References