CVE-2026-43880: CWE-940: Improper Verification of Source of a Communication Channel in WWBN AVideo
CVE-2026-43880 is a medium severity vulnerability in WWBN AVideo versions up to 29. 0. It allows unauthenticated attackers to abuse a public email-sending endpoint to send emails from the site's legitimate address without authentication or CSRF protection. This can enable phishing or brand impersonation attacks by leveraging the site's own SMTP infrastructure and passing SPF/DKIM/DMARC checks. No official patch or remediation level is confirmed in the provided data.
AI Analysis
Technical Summary
WWBN AVideo up to version 29.0 contains an improper verification of the source of a communication channel vulnerability (CWE-940) in the objects/sendEmail.json.php endpoint. This endpoint is allow-listed as a public write action and requires no authentication or CSRF token. When the contactForm parameter is omitted, the endpoint sets the recipient email to an attacker-supplied value and uses the site's contact email as the sender. An unauthenticated attacker who can solve a captcha can exploit this to send arbitrary emails from the site’s domain, potentially facilitating phishing or brand impersonation. A fix is referenced in commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2, but no official patch or vendor advisory is provided in the input.
Potential Impact
The vulnerability allows attackers to send emails from the legitimate domain of the affected site without authentication, potentially enabling targeted phishing campaigns and brand impersonation. The emails pass SPF, DKIM, and DMARC checks, increasing their likelihood of bypassing spam filters. There is no indication of direct confidentiality or availability impact. No known exploits in the wild are reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The input references a commit containing a fix, but no official patch or advisory is provided. Until an official fix is applied, consider restricting access to the vulnerable endpoint or implementing additional verification to prevent abuse. Avoid relying solely on captcha as a defense.
CVE-2026-43880: CWE-940: Improper Verification of Source of a Communication Channel in WWBN AVideo
Description
CVE-2026-43880 is a medium severity vulnerability in WWBN AVideo versions up to 29. 0. It allows unauthenticated attackers to abuse a public email-sending endpoint to send emails from the site's legitimate address without authentication or CSRF protection. This can enable phishing or brand impersonation attacks by leveraging the site's own SMTP infrastructure and passing SPF/DKIM/DMARC checks. No official patch or remediation level is confirmed in the provided data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
WWBN AVideo up to version 29.0 contains an improper verification of the source of a communication channel vulnerability (CWE-940) in the objects/sendEmail.json.php endpoint. This endpoint is allow-listed as a public write action and requires no authentication or CSRF token. When the contactForm parameter is omitted, the endpoint sets the recipient email to an attacker-supplied value and uses the site's contact email as the sender. An unauthenticated attacker who can solve a captcha can exploit this to send arbitrary emails from the site’s domain, potentially facilitating phishing or brand impersonation. A fix is referenced in commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2, but no official patch or vendor advisory is provided in the input.
Potential Impact
The vulnerability allows attackers to send emails from the legitimate domain of the affected site without authentication, potentially enabling targeted phishing campaigns and brand impersonation. The emails pass SPF, DKIM, and DMARC checks, increasing their likelihood of bypassing spam filters. There is no indication of direct confidentiality or availability impact. No known exploits in the wild are reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The input references a commit containing a fix, but no official patch or advisory is provided. Until an official fix is applied, consider restricting access to the vulnerable endpoint or implementing additional verification to prevent abuse. Avoid relying solely on captcha as a defense.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T15:17:09.329Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a028749cbff5d86108b51a3
Added to database: 5/12/2026, 1:50:01 AM
Last enriched: 5/12/2026, 1:54:19 AM
Last updated: 5/12/2026, 3:52:38 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.