CVE-2026-49279
CVE-2026-49279 (WWBN AVideo) describes a stored XSS in the WebSocket messaging system. The vulnerability arises because MessageSQLite.php only strips autoEvalCodeOnHTML from json["msg"], while msgToResourceId() favors json over msg, allowing an attacker to place the payload in json and bypass san...