CVE-2026-34611: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
AI Analysis
Technical Summary
WWBN AVideo versions 26.0 and prior contain a CSRF vulnerability in the emailAllUsers.json.php endpoint. This endpoint allows authenticated administrators to send HTML emails to all users but lacks CSRF token validation. The platform sets session cookies with SameSite=None, allowing cross-origin POST requests to include the admin's session cookie automatically. An attacker who tricks an admin into visiting a malicious webpage can exploit this to send arbitrary HTML emails to all users, potentially enabling phishing or other social engineering attacks. No official patch or fix is available as of the publication date.
Potential Impact
An attacker can leverage this vulnerability to send arbitrary HTML emails to every registered user on the affected AVideo platform instance. These emails appear to originate from the legitimate SMTP address configured on the platform, increasing the likelihood of successful phishing or social engineering attacks. The vulnerability does not disclose confidential data or allow direct system compromise but can significantly impact user trust and platform reputation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should avoid visiting untrusted websites while logged into the AVideo platform. Additionally, consider implementing network-level protections or web application firewall rules to restrict access to the vulnerable endpoint or require additional verification for email-sending actions. Monitoring for unusual email activity may also help detect exploitation attempts.
CVE-2026-34611: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo versions 26.0 and prior contain a CSRF vulnerability in the emailAllUsers.json.php endpoint. This endpoint allows authenticated administrators to send HTML emails to all users but lacks CSRF token validation. The platform sets session cookies with SameSite=None, allowing cross-origin POST requests to include the admin's session cookie automatically. An attacker who tricks an admin into visiting a malicious webpage can exploit this to send arbitrary HTML emails to all users, potentially enabling phishing or other social engineering attacks. No official patch or fix is available as of the publication date.
Potential Impact
An attacker can leverage this vulnerability to send arbitrary HTML emails to every registered user on the affected AVideo platform instance. These emails appear to originate from the legitimate SMTP address configured on the platform, increasing the likelihood of successful phishing or social engineering attacks. The vulnerability does not disclose confidential data or allow direct system compromise but can significantly impact user trust and platform reputation. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should avoid visiting untrusted websites while logged into the AVideo platform. Additionally, consider implementing network-level protections or web application firewall rules to restrict access to the vulnerable endpoint or require additional verification for email-sending actions. Monitoring for unusual email activity may also help detect exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T17:15:52.500Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc37c1e6bfc5ba1d4189f8
Added to database: 3/31/2026, 9:08:17 PM
Last enriched: 4/8/2026, 4:14:44 AM
Last updated: 5/14/2026, 2:29:34 PM
Views: 37
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.