CVE-2026-49279: WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)

June 4, 2026

AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely.

References

github.com/WWBN/AVideo/commit/3e0b3ce2bfa766183ff0ae227439394db57b1a23
github.com/WWBN/AVideo/security/advisories/GHSA-2fhx-q92v-5fhv
github.com/advisories/GHSA-2fhx-q92v-5fhv
nvd.nist.gov/vuln/detail/CVE-2026-49279

Code Behaviors & Features

Detect and mitigate CVE-2026-49279 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →