CVE-2026-40928: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.
AI Analysis
Technical Summary
WWBN AVideo up to version 29.0 has CSRF vulnerabilities in multiple JSON endpoints under 'objects/'. These endpoints process state-changing requests via $_REQUEST/$_GET without verifying anti-CSRF tokens or origin headers, allowing attackers to perform unauthorized actions on behalf of authenticated users. Exploitation requires only that the victim loads attacker-controlled HTML content, which can trigger actions such as flipping likes/dislikes on comments, posting arbitrary comments, or deleting category assets if permitted. The issue is addressed in a specific code commit.
Potential Impact
Exploitation allows attackers to perform unauthorized state changes in the application as the victim user, including modifying comment likes, posting comments with arbitrary content, and deleting assets in categories where the victim has management rights. This can lead to integrity loss of user interactions and potential data loss. There is no indication of confidentiality or availability impact beyond these actions. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix for this vulnerability is available in the codebase as indicated by commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c. Users of WWBN AVideo should upgrade to a version including this commit or apply the patch to implement proper anti-CSRF protections such as tokens or origin checks on affected endpoints. Since the vendor advisory or patch links are not explicitly provided, verify the fix by reviewing the referenced commit in the project repository. Until patched, users should be cautious about visiting untrusted web pages while authenticated to the affected AVideo instance.
CVE-2026-40928: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo up to version 29.0 has CSRF vulnerabilities in multiple JSON endpoints under 'objects/'. These endpoints process state-changing requests via $_REQUEST/$_GET without verifying anti-CSRF tokens or origin headers, allowing attackers to perform unauthorized actions on behalf of authenticated users. Exploitation requires only that the victim loads attacker-controlled HTML content, which can trigger actions such as flipping likes/dislikes on comments, posting arbitrary comments, or deleting category assets if permitted. The issue is addressed in a specific code commit.
Potential Impact
Exploitation allows attackers to perform unauthorized state changes in the application as the victim user, including modifying comment likes, posting comments with arbitrary content, and deleting assets in categories where the victim has management rights. This can lead to integrity loss of user interactions and potential data loss. There is no indication of confidentiality or availability impact beyond these actions. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix for this vulnerability is available in the codebase as indicated by commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c. Users of WWBN AVideo should upgrade to a version including this commit or apply the patch to implement proper anti-CSRF protections such as tokens or origin checks on affected endpoints. Since the vendor advisory or patch links are not explicitly provided, verify the fix by reviewing the referenced commit in the project repository. Until patched, users should be cautious about visiting untrusted web pages while authenticated to the affected AVideo instance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7faaa19fe3cd2cd001489
Added to database: 4/21/2026, 10:31:06 PM
Last enriched: 4/21/2026, 10:47:15 PM
Last updated: 4/22/2026, 7:14:31 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.