AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers — CVE-2026-43876

Summary

## Summary `objects/notifySubscribers.json.php` takes the raw `message` POST parameter and passes it into `sendSiteEmail()`, which substitutes it directly into an HTML email template (via `str_replace` on the `{message}` placeholder) and renders it with `PHPMailer::msgHTML()`. There is no HTML sanitization, character escaping, or output encoding on the attacker-controlled `message` between `$_POST['message']` and…

Product

composer: wwbn/avideo

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories