CVE-2026-43876
CWE-79Published: May 11, 2026· Updated: May 13, 2026
Official Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which substitutes it directly into an HTML email template (via str_replace on the {message} placeholder) and renders it with PHPMailer::msgHTML(). There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled message between $_POST['message'] and the rendered email. Any authenticated user with upload permission can therefore broadcast arbitrary HTML — phishing links, tracking pixels, CSS/UI spoofing — to every subscriber on their channel (up to 10,000 recipients per invocation). The email is sent From: the platform's configured contact address and wrapped in the site's official logo and title, so attacker-supplied HTML arrives with the appearance of an official platform communication. Commit https://github.com/WWBN/AVideo/commit/ contains an updated fix.
Technical Analysis
CVE-2026-43876 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.
From a weakness classification perspective (CWE-79): Cross-site scripting (XSS) vulnerabilities allow attackers to inject malicious scripts into web pages viewed by other users.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
All References (3)
Quick Facts
Related CVEs (CWE-79)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-43876 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts