CVE-2026-40926

HIGH EPSS 6.2%
Published Apr 21, 20262mo ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Apr 21, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability Low

Threat Intelligence

EPSS Exploit Probability
6.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
wwbnavideo* ≤29.0

References 2

  • github.com https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2
    Patch