CVE-2026-40911

Daily digests

An unauthenticated attacker can send a crafted WebSocket message to AVideo's YPTSocket plugin, and the server will relay it straight to every connected browser. Two eval() calls on the client side execute the attacker's JavaScript in the context of every viewer, including admins. That means instant session theft, account takeover, and full control of the platform with zero interaction required from victims.

• Daily Digest · Apr 22, 2026

  AVideo CVSS 10 + Firefox DOM bypass, 5 critical fixes