php · WWBN/AVideoCritical

AVideo YPTSocket Plugin Unauthenticated Stored DOM XSS via page_title

Unauthenticated stored DOM XSS via `page_title` broadcast in AVideo YPTSocket plugin.

09 Jun 2026Read 1 minSeverity: act now

What changed

Unauthenticated stored DOM XSS via `page_title` broadcast in AVideo YPTSocket plugin. Any unauthenticated attacker can inject arbitrary JavaScript into the admin's browser session by sending a malicious `page_title` parameter through the WebSocket connection.

Who it affects

All AVideo instances with YPTSocket plugin enabled and `debugSocket=true` (default), and at least one administrator viewing a page that loads the YPTSocket footer.

What to do today

Disable the YPTSocket plugin or set `debugSocket=false` immediately. Apply vendor patch when available.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · WWBN/AVideo

AVideo YPTSocket Plugin Unauthenticated Stored DOM XSS via page_title

What changed

Who it affects

What to do today

More on WWBN/AVideo

symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI

pheditor: OS Command Injection in Terminal Handler