[HIGH] AVideo has an Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg['json']` Relay Bypass

PKSA-15fj-zg4r-zsnq CVE-2026-43874 GHSA-ghcv-22jf-vfxm

Affected package: wwbn/avideo

Affected version: <=29.0

Reported by:
GitHub