PatchSiren cyber security CVE debrief
CVE-2026-54458 WWBN CVE debrief
AVideo versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. The vulnerability allows attackers to read non-HttpOnly cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation.
- Vendor
- WWBN
- Product
- AVideo
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability and take immediate action to patch their systems. AVideo operators should review their deployments and verify the presence of the YPTSocket plugin. Vulnerability management teams should prioritize patching and monitor for suspicious WebSocket connections. Security teams should implement additional security measures to prevent exploitation.
Technical summary
The YPTSocket plugin issues a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen at plugin/YPTSocket/MessageSQLiteV2.php lines 91 and 110 reads the attacker-controlled webSocketSelfURI and page_title query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite connections table and broadcast inside the users_id_online array sent to every connected client; on the client, plugin/YPTSocket/script.js::updateSocketUserCard interpolates the broadcast page_title into an HTML template literal that is passed to jQuery $.append(html), which parses attacker bytes into live DOM nodes including <img> with inline event handlers.
Defensive priority
High
Recommended defensive actions
- Patch AVideo to version 29.0 or later
- Restrict access to the YPTSocket online-users debug panel
- Monitor for suspicious WebSocket connections
- Implement additional security measures to prevent exploitation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T22:17:19.160Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The YPTSocket plugin is used in AVideo versions prior to 29.0, which contains a stored DOM Cross-Site Scripting vulnerability.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:19.160Z and has not been modified since then. The NVD entry is currently Deferred.