LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-40911

CVE-2026-40911 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: April 22, 2026

WWBN AVideo - Stored XSS

Published: April 21, 2026Updated: April 22, 2026Remote Exploitable

Overview

WWBN AVideo <= 29.0 contains a stored XSS caused by unsanitized attacker-supplied JSON fields relayed via YPTSocket plugin's WebSocket server, letting unauthenticated attackers execute arbitrary JavaScript in all connected clients, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 10.0
EPSS Score: 16.6%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can execute arbitrary JavaScript in all connected clients, leading to account takeover, session theft, and privileged action execution.

Mitigation

Update to the version including commit c08694bf6264eb4decceb78c711baee2609b4efd or later.

References

Social Media Activity(2 posts)

OffSequence
OffSequence
@offseq
Apr 22, 2026

šŸšØ CVE-2026-40911: WWBN AVideo <=29.0 CRITICAL code injection via YPTSocket plugin. Unauthenticated attacker can execute JS on all connected clients, risking account takeover. Patch with commit c08694bf ASAP. https://radar.offseq.com/threat/cve-2026-40911-cwe-94-improper-control-of-generati-3a34b5ff #OffSeq #CVE202640911 #infosec #security

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 21, 2026

šŸ”“ CVE-2026-40911 - Critical (10) WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies to every connected client without sanitizing the `msg` or `callback` fields. On the clie... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40911/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-40911
Severity
Critical
CVSS Score
10.0
Type
stored_xss
Status
unconfirmed
EPSS
16.6%
Social Posts
2

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

16.6%Probability of exploitation in the next 30 days