PatchDay Alert
APR 29, 2026 Subscribe →
Daily Digest By Colten Anderson

AVideo CVSS 10: one WebSocket message owns every viewer, no click needed

A perfect-score stored XSS in AVideo's YPTSocket hits all connected browsers instantly. Also: Flowise command injection (9.9), ElectricSQL SQL injection that gives full PostgreSQL read/write (9.9), an unauth WordPress SMTP hijack via Sendmachine (9.8), and a Firefox DOM security bypass (9.8).

Patch now
4
Within 24h
1
This week
0
Exploited
0
WordPressCMS

Five critical bugs today, none exploited in the wild yet, but a CVSS 10 in AVideo's WebSocket plugin deserves your attention first. An unauthenticated attacker can hijack every connected browser session, including admins, with zero interaction required. Firefox also has a 9.8 DOM security bypass that could compromise browsers just by visiting a malicious page, so push that update to your fleet now.

Today's CVEs

Sorted by urgency
01

CVE-2026-40911

NVD
10.0
CVSS
CRITICAL
WordPressCMS

An unauthenticated attacker can send a crafted WebSocket message to AVideo's YPTSocket plugin, and the server will relay it straight to every connected browser. Two eval() calls on the client side execute the attacker's JavaScript in the context of every viewer, including admins. That means instant session theft, account takeover, and full control of the platform with zero interaction required from victims.

Affected estate
Anyone self-hosting AVideo (WWBN) version 29.0 or earlier with the YPTSocket plugin enabled
How to check
Check inventory, endpoint management, or the vendor console for affected WordPress versions.
Action
Apply commit c08694bf6264eb4decceb78c711baee2609b4efd or pull the latest main branch. If you can't patch right now, disable the YPTSocket plugin until you can.
Urgency
Patch immediately
Why it matters
An unauthenticated attacker can send a crafted WebSocket message to AVideo's YPTSocket plugin, and the server will relay it straight to every connected browser
Source
NVD
02

CVE-2026-40933

NVD
9.9
CVSS
CRITICAL

Flowise's "Custom MCP" feature lets any authenticated user add a stdio-based MCP server with an arbitrary command. The input sanitization checks are easy to bypass: you can pass something like 'npx -c touch /tmp/pwn' through the allow-listed 'npx' command. That gives you OS-level command execution on the Flowise host. You need a valid login, but any user role can pull it off.

Affected estate
Anyone running Flowise versions before 3.1.0, especially instances exposed to the internet or shared with untrusted users
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade Flowise to 3.1.0 or later. Until you do, restrict who can access the MCP configuration UI and audit existing MCP stdio entries for suspicious commands.
Urgency
Patch immediately
Why it matters
Flowise's "Custom MCP" feature lets any authenticated user add a stdio-based MCP server with an arbitrary command
Source
NVD
03

CVE-2026-40906

NVD
9.9
CVSS
CRITICAL

The order_by parameter in ElectricSQL's /v1/shape API doesn't sanitize input, so any authenticated user can inject SQL through crafted ORDER BY expressions. This isn't read-only: an attacker can read, write, and delete everything in your PostgreSQL database. If your Electric instance is reachable by untrusted users, your entire database is exposed.

Affected estate
Anyone running ElectricSQL (Electric) versions 1.1.12 through 1.4.x with the /v1/shape API exposed
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Upgrade Electric to 1.5.0 or later. Review your PostgreSQL logs for unusual ORDER BY patterns that might indicate prior exploitation.
Urgency
Patch immediately
Why it matters
The order_by parameter in ElectricSQL's /v1/shape API doesn't sanitize input, so any authenticated user can inject SQL through crafted ORDER BY expressions
Source
NVD
04

CVE-2026-6235

NVD
9.8
CVSS
CRITICAL
WordPressCMS

The Sendmachine for WordPress plugin doesn't check whether the caller is actually authorized when handling admin requests. An unauthenticated attacker can overwrite your SMTP configuration, rerouting all outbound email through a server they control. That includes password reset emails, which means full site takeover is one "forgot password" click away.

Affected estate
WordPress site owners running the Sendmachine plugin version 1.0.20 or earlier
How to check
Check inventory, endpoint management, or the vendor console for affected WordPress versions.
Action
Update the Sendmachine plugin past version 1.0.20. If no update is available yet, deactivate the plugin and switch to a different SMTP plugin. Check your current SMTP settings to confirm they haven't already been tampered with.
Urgency
Patch immediately
Why it matters
The Sendmachine for WordPress plugin doesn't check whether the caller is actually authorized when handling admin requests
Source
NVD
05

CVE-2026-6771

NVD
9.8
CVSS
CRITICAL

A bypass in Firefox's DOM Security component lets attackers get around protections that are supposed to prevent malicious page content from executing privileged actions. Mozilla's description is sparse, but a CVSS 9.8 on a DOM security mitigation bypass typically means a crafted webpage could compromise your browser without much user interaction beyond visiting the page.

Affected estate
Anyone running Firefox before 150, Firefox ESR before 140.10, Thunderbird before 150, or Thunderbird ESR before 140.10
How to check
Check inventory, endpoint management, or the vendor console for affected product versions.
Action
Update Firefox to 150+, Firefox ESR to 140.10+, Thunderbird to 150+, or Thunderbird ESR to 140.10+ through your standard browser update channel or package manager.
Urgency
Patch within 24 hours
Why it matters
A bypass in Firefox's DOM Security component lets attackers get around protections that are supposed to prevent malicious page content from executing privileged actions
Source
NVD