PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49279 WWBN CVE debrief

CVE-2026-49279 is a Stored XSS vulnerability in WWBN AVideo versions 29.0 and below. The vulnerability exists through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely. This allows an authenticated attacker to execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system. The vulnerability has a high impact on the confidentiality, integrity, and availability of the affected system.

Vendor
WWBN
Product
AVideo
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of WWBN AVideo versions 29.0 and below should apply the patch to prevent exploitation of this vulnerability. Administrators of systems using this software should monitor for suspicious activity and ensure that all users are aware of the risks associated with this vulnerability. Security teams should review the vulnerability and implement additional security measures to prevent exploitation.

Technical summary

The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. This allows an attacker to bypass the sanitization and execute arbitrary JavaScript in the browser sessions of connected users. The vulnerability is a Stored XSS vulnerability through the autoEvalCodeOnHTML parameter in the MessageSQLite WebSocket Handler.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from https://github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23
  • Monitor for suspicious WebSocket activity
  • Ensure all users are aware of the risks associated with this vulnerability
  • Consider implementing additional security measures such as input validation and output encoding
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T22:16:52.163Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability exists in WWBN AVideo versions 29.0 and below, and an authenticated attacker can execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:16:52.163Z and has not been modified since then. The NVD entry is currently Deferred.