PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54458 WWBN CVE debrief

AVideo versions prior to 29.0 contain a stored DOM Cross-Site Scripting vulnerability in the YPTSocket plugin. Any unauthenticated remote attacker can execute arbitrary JavaScript in the authenticated origin of every administrator currently viewing a page that renders the YPTSocket online-users debug panel. The vulnerability allows attackers to read non-HttpOnly cookies and the CSRF token rendered into the admin dashboard, issue authenticated requests to any admin-only endpoint, exfiltrate the admin dashboard DOM, and chain into any admin-context mutation.

Vendor
WWBN
Product
AVideo
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Administrators and users of AVideo versions prior to 29.0 should be aware of this vulnerability and take immediate action to patch their systems. AVideo operators should review their deployments and verify the presence of the YPTSocket plugin. Vulnerability management teams should prioritize patching and monitor for suspicious WebSocket connections. Security teams should implement additional security measures to prevent exploitation.

Technical summary

The YPTSocket plugin issues a signed WebSocket token to any anonymous caller, and MessageSQLiteV2::onOpen at plugin/YPTSocket/MessageSQLiteV2.php lines 91 and 110 reads the attacker-controlled webSocketSelfURI and page_title query parameters from the WebSocket connection URL with no validation. Both values persist into the in-memory SQLite connections table and broadcast inside the users_id_online array sent to every connected client; on the client, plugin/YPTSocket/script.js::updateSocketUserCard interpolates the broadcast page_title into an HTML template literal that is passed to jQuery $.append(html), which parses attacker bytes into live DOM nodes including <img> with inline event handlers.

Defensive priority

High

Recommended defensive actions

  • Patch AVideo to version 29.0 or later
  • Restrict access to the YPTSocket online-users debug panel
  • Monitor for suspicious WebSocket connections
  • Implement additional security measures to prevent exploitation
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T22:17:19.160Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The YPTSocket plugin is used in AVideo versions prior to 29.0, which contains a stored DOM Cross-Site Scripting vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:19.160Z and has not been modified since then. The NVD entry is currently Deferred.