CVE-2026-40929: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
AI Analysis
Technical Summary
The vulnerability in WWBN AVideo (<=29.0) is a CSRF issue in the comment deletion JSON endpoint. This endpoint mutates state by deleting comments but lacks CSRF validation mechanisms including token checks and origin/referrer verification. The platform's use of session.cookie_samesite=None causes the victim's PHPSESSID cookie to be sent automatically with cross-site requests, enabling attackers to perform unauthorized comment deletions if the victim is authenticated and authorized. The vulnerability affects site moderators, video owners, and comment authors who can delete comments. A code commit has been made to fix this issue.
Potential Impact
An attacker can cause an authenticated user with comment deletion privileges to unknowingly delete comments by tricking them into visiting a malicious webpage. This results in unauthorized comment deletions (integrity loss) and potential denial of service to comment functionality (availability impact). There is no direct confidentiality impact reported. The CVSS score of 5.4 (medium severity) reflects the moderate impact and ease of exploitation requiring user interaction.
Mitigation Recommendations
A fix has been implemented as indicated by the referenced commit (184f36b1896f3364f864f17c1acca3dd8df3af27). Users should update to a version including this fix to ensure CSRF protections are in place on the comment deletion endpoint. Until patched, administrators should be aware of the risk and consider restricting comment deletion privileges or implementing additional protective measures. Patch status is not explicitly confirmed in vendor advisories; therefore, verify the fix availability and apply updates accordingly.
CVE-2026-40929: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in WWBN AVideo (<=29.0) is a CSRF issue in the comment deletion JSON endpoint. This endpoint mutates state by deleting comments but lacks CSRF validation mechanisms including token checks and origin/referrer verification. The platform's use of session.cookie_samesite=None causes the victim's PHPSESSID cookie to be sent automatically with cross-site requests, enabling attackers to perform unauthorized comment deletions if the victim is authenticated and authorized. The vulnerability affects site moderators, video owners, and comment authors who can delete comments. A code commit has been made to fix this issue.
Potential Impact
An attacker can cause an authenticated user with comment deletion privileges to unknowingly delete comments by tricking them into visiting a malicious webpage. This results in unauthorized comment deletions (integrity loss) and potential denial of service to comment functionality (availability impact). There is no direct confidentiality impact reported. The CVSS score of 5.4 (medium severity) reflects the moderate impact and ease of exploitation requiring user interaction.
Mitigation Recommendations
A fix has been implemented as indicated by the referenced commit (184f36b1896f3364f864f17c1acca3dd8df3af27). Users should update to a version including this fix to ensure CSRF protections are in place on the comment deletion endpoint. Until patched, administrators should be aware of the risk and consider restricting comment deletion privileges or implementing additional protective measures. Patch status is not explicitly confirmed in vendor advisories; therefore, verify the fix availability and apply updates accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7faaa19fe3cd2cd00148d
Added to database: 4/21/2026, 10:31:06 PM
Last enriched: 4/21/2026, 10:47:03 PM
Last updated: 4/22/2026, 6:36:31 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.