CVE-2026-40929: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
WWBN AVideo versions 29. 0 and prior contain a Cross-Site Request Forgery (CSRF) vulnerability in the comment deletion endpoint. The endpoint 'objects/commentDelete. json. php' allows authenticated users with deletion privileges to delete comments without any CSRF protections such as token validation or origin checks. Because the platform sets session cookies with SameSite=None, cross-origin requests automatically include the session cookie, enabling attackers to trick authorized users into deleting comments by visiting malicious pages. A fix for this vulnerability is referenced in a specific commit but no official patch release information is provided.
AI Analysis
Technical Summary
CVE-2026-40929 is a CSRF vulnerability in WWBN AVideo (<= 29.0) affecting the comment deletion JSON endpoint. The endpoint lacks CSRF defenses: it does not call forbidIfIsUntrustedRequest(), verify CSRF tokens, or check Origin/Referer headers. The platform's use of session.cookie_samesite=None causes the victim's PHPSESSID cookie to be sent with cross-site requests, allowing attackers to perform unauthorized comment deletions if the victim is authenticated and authorized. The vulnerability affects site moderators, video owners, and comment authors. A code commit (184f36b1896f3364f864f17c1acca3dd8df3af27) contains a fix, but no official patch release is documented.
Potential Impact
An attacker can cause authenticated users with comment deletion privileges to unknowingly delete comments by tricking them into visiting a malicious webpage. This results in unauthorized deletion of comments, impacting integrity and availability of user-generated content. There is no direct confidentiality impact. The CVSS score is 5.4 (medium severity), reflecting low attack complexity but requiring user interaction and no privilege required beyond authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has committed a fix in the source code repository (commit 184f36b1896f3364f864f17c1acca3dd8df3af27) that adds CSRF protections to the comment deletion endpoint. Until an official patch is released and applied, users should consider restricting comment deletion privileges and avoid visiting untrusted sites while authenticated. Monitor vendor channels for an official update.
CVE-2026-40929: CWE-352: Cross-Site Request Forgery (CSRF) in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and prior contain a Cross-Site Request Forgery (CSRF) vulnerability in the comment deletion endpoint. The endpoint 'objects/commentDelete. json. php' allows authenticated users with deletion privileges to delete comments without any CSRF protections such as token validation or origin checks. Because the platform sets session cookies with SameSite=None, cross-origin requests automatically include the session cookie, enabling attackers to trick authorized users into deleting comments by visiting malicious pages. A fix for this vulnerability is referenced in a specific commit but no official patch release information is provided.
CVSS v3.1
Score 5.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40929 is a CSRF vulnerability in WWBN AVideo (<= 29.0) affecting the comment deletion JSON endpoint. The endpoint lacks CSRF defenses: it does not call forbidIfIsUntrustedRequest(), verify CSRF tokens, or check Origin/Referer headers. The platform's use of session.cookie_samesite=None causes the victim's PHPSESSID cookie to be sent with cross-site requests, allowing attackers to perform unauthorized comment deletions if the victim is authenticated and authorized. The vulnerability affects site moderators, video owners, and comment authors. A code commit (184f36b1896f3364f864f17c1acca3dd8df3af27) contains a fix, but no official patch release is documented.
Potential Impact
An attacker can cause authenticated users with comment deletion privileges to unknowingly delete comments by tricking them into visiting a malicious webpage. This results in unauthorized deletion of comments, impacting integrity and availability of user-generated content. There is no direct confidentiality impact. The CVSS score is 5.4 (medium severity), reflecting low attack complexity but requiring user interaction and no privilege required beyond authentication.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The vendor has committed a fix in the source code repository (commit 184f36b1896f3364f864f17c1acca3dd8df3af27) that adds CSRF protections to the comment deletion endpoint. Until an official patch is released and applied, users should consider restricting comment deletion privileges and avoid visiting untrusted sites while authenticated. Monitor vendor channels for an official update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7faaa19fe3cd2cd00148d
Added to database: 4/21/2026, 10:31:06 PM
Last enriched: 4/29/2026, 11:12:06 AM
Last updated: 6/4/2026, 10:38:10 PM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.