CVE-2026-49279 is a high-severity cross-site scripting (XSS) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.
AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler Summary AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json['msg'], but msgToResourceId() reads from $msg['json'] with higher priority. An attacker can place the XSS payload in the json key instead of msg, bypassing the sanitization entirely. Affected Versions AVideo <= latest Vulnerability Details Root Cause: Shallow sanitization only covers $json['msg'] plugin/YPTSocket/MessageSQLite.php lines 268-271, the incomplete fix: plugin/YPTSocket/MessageSQLite.php lines 361-367, the bypass via msgToResourceId(): Compare with the correctly patched Message.php (lines 254-256): And MessageSQLiteV2.php (lines 302-303): MessageSQLite.php does not call removeAutoEvalCodeOnHTMLRecursive() at all. Attack Chain Attacker sends a WebSocket message with autoEvalCodeOnHTML in the json key instead of msg The fix at line 268-271 only checks $json['msg'], the json key is untouched msgToResourceId() reads $msg['json'] first (line 361) because !empty($msg['json']) is true The payload is delivered to the victim's WebSocket client and evaluated via autoEvalCodeOnHTML Proof of Concept Impact An authenticated attacker can: Execute arbitrary JavaScript in any connected user's browser session via the WebSocket messaging system Steal session cookies and authentication tokens Perform account takeover via session hijacking Chain with CSRF to execute admin actions on behalf of the victim The vulnerability affects the default SQLite WebSocket backend configuration. Suggested Remediation Apply removeAutoEvalCodeOnHTMLRecursive() in MessageSQLite.php, consistent with Message.php and MessageSQLiteV2.php:
Untrusted input is rendered as active markup in a victim's browser, which can run script in their session. Typical impact: session or credential theft, and actions taken as the user.
composer
wwbn/avideo (<= 29.0)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-49279 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-49279 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-49279 in your environment →No fixed version is listed for CVE-2026-49279 yet.
In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-49279 is a high-severity cross-site scripting (XSS) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet. Untrusted input is rendered as active markup in a victim's browser, which can run script in their session.
wwbn/avideo (composer) versions <= 29.0 is affected.
No fixed version is listed for CVE-2026-49279 yet. Monitor the advisory for updates and apply mitigations in the interim.
Whether CVE-2026-49279 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
No fixed version is listed yet. In the interim: Validate and encode untrusted input before rendering it as HTML. Applying a Content Security Policy reduces the impact if encoding is bypassed.