CVE-2026-35181: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo versions 26. 0 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability in the player skin configuration endpoint (admin/playerUpdate. json. php). This endpoint does not validate CSRF tokens, and the plugins table is excluded from ORM domain-based security checks, removing additional protection. Because the platform uses SameSite=None cookies, a cross-origin POST request can modify the video player appearance across the platform. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
The vulnerability in WWBN AVideo (<= 26.0) involves a lack of CSRF token validation at the player skin configuration endpoint (admin/playerUpdate.json.php). The plugins table is explicitly excluded from ORM security checks via ignoreTableSecurityCheck(), eliminating a secondary defense layer. Combined with SameSite=None cookie settings, this allows an attacker to perform a cross-origin POST request that can alter the video player appearance platform-wide. The CVSS 3.1 base score is 4.3, indicating medium severity, with no known exploits in the wild and no vendor-provided patch or remediation at this time.
Potential Impact
An attacker can exploit this vulnerability to perform unauthorized cross-origin POST requests that modify the video player appearance on the entire platform. This results in limited integrity impact (modification of UI elements) without affecting confidentiality or availability. There is no indication of further compromise or data exposure from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing manual CSRF protections on the affected endpoint and reviewing cookie settings to reduce cross-origin risks. Avoid using SameSite=None cookies if not strictly necessary. Monitor for vendor updates regarding patches or official mitigations.
CVE-2026-35181: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo versions 26. 0 and earlier contain a Cross-Site Request Forgery (CSRF) vulnerability in the player skin configuration endpoint (admin/playerUpdate. json. php). This endpoint does not validate CSRF tokens, and the plugins table is excluded from ORM domain-based security checks, removing additional protection. Because the platform uses SameSite=None cookies, a cross-origin POST request can modify the video player appearance across the platform. The vulnerability has a medium severity with a CVSS score of 4. 3. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in WWBN AVideo (<= 26.0) involves a lack of CSRF token validation at the player skin configuration endpoint (admin/playerUpdate.json.php). The plugins table is explicitly excluded from ORM security checks via ignoreTableSecurityCheck(), eliminating a secondary defense layer. Combined with SameSite=None cookie settings, this allows an attacker to perform a cross-origin POST request that can alter the video player appearance platform-wide. The CVSS 3.1 base score is 4.3, indicating medium severity, with no known exploits in the wild and no vendor-provided patch or remediation at this time.
Potential Impact
An attacker can exploit this vulnerability to perform unauthorized cross-origin POST requests that modify the video player appearance on the entire platform. This results in limited integrity impact (modification of UI elements) without affecting confidentiality or availability. There is no indication of further compromise or data exposure from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider implementing manual CSRF protections on the affected endpoint and reviewing cookie settings to reduce cross-origin risks. Avoid using SameSite=None cookies if not strictly necessary. Monitor for vendor updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T17:26:21.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d409d70a160ebd92d5a951
Added to database: 4/6/2026, 7:30:31 PM
Last enriched: 4/6/2026, 7:46:30 PM
Last updated: 4/7/2026, 12:29:08 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.