CVE-2026-40926: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
AI Analysis
Technical Summary
The vulnerability in WWBN AVideo (<= 29.0) involves three admin-only JSON endpoints (`objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php`) that lack CSRF token validation despite performing sensitive state-changing operations. These endpoints enforce only role-based access control but do not call `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`, which are used to prevent CSRF attacks. This omission allows attackers to exploit a logged-in administrator's session by tricking them into visiting malicious web pages that trigger unauthorized category management or plugin update script execution. Peer endpoints in the same directory do enforce CSRF tokens, indicating this was an oversight. The vulnerability is tracked as CVE-2026-40926 with a CVSS 3.1 score of 7.1 (high severity). A patch addressing this issue is included in commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.
Potential Impact
Successful exploitation allows an attacker to perform unauthorized administrative actions such as creating or deleting categories and forcing execution of plugin update scripts within the context of an authenticated admin session. This can lead to unauthorized modification of the platform's content and potentially affect plugin behavior or integrity. The vulnerability does not directly impact confidentiality but has a high impact on integrity and a low impact on availability.
Mitigation Recommendations
A fix for this vulnerability is available in commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2, which adds proper CSRF token validation to the affected endpoints. Users of WWBN AVideo version 29.0 or earlier should apply this update promptly to mitigate the risk. Until patched, administrators should avoid interacting with untrusted web content while logged into the platform to reduce exposure to CSRF attacks.
CVE-2026-40926: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in WWBN AVideo (<= 29.0) involves three admin-only JSON endpoints (`objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php`) that lack CSRF token validation despite performing sensitive state-changing operations. These endpoints enforce only role-based access control but do not call `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`, which are used to prevent CSRF attacks. This omission allows attackers to exploit a logged-in administrator's session by tricking them into visiting malicious web pages that trigger unauthorized category management or plugin update script execution. Peer endpoints in the same directory do enforce CSRF tokens, indicating this was an oversight. The vulnerability is tracked as CVE-2026-40926 with a CVSS 3.1 score of 7.1 (high severity). A patch addressing this issue is included in commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.
Potential Impact
Successful exploitation allows an attacker to perform unauthorized administrative actions such as creating or deleting categories and forcing execution of plugin update scripts within the context of an authenticated admin session. This can lead to unauthorized modification of the platform's content and potentially affect plugin behavior or integrity. The vulnerability does not directly impact confidentiality but has a high impact on integrity and a low impact on availability.
Mitigation Recommendations
A fix for this vulnerability is available in commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2, which adds proper CSRF token validation to the affected endpoints. Users of WWBN AVideo version 29.0 or earlier should apply this update promptly to mitigate the risk. Until patched, administrators should avoid interacting with untrusted web content while logged into the platform to reduce exposure to CSRF attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7faaa19fe3cd2cd001485
Added to database: 4/21/2026, 10:31:06 PM
Last enriched: 4/21/2026, 10:46:35 PM
Last updated: 4/22/2026, 7:14:33 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.