WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)
wird übersetzt…Plattform
php
Komponente
avideo
Behoben in
29.0.1
CVE-2026-40926 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in AVideo. This flaw allows an attacker to perform actions as an authenticated administrator without their knowledge, potentially leading to unauthorized modifications of the system. The vulnerability impacts versions 1.0.0 through 29.0 and has been resolved in version 29.1.
Auswirkungen und Angriffsszenarienwird übersetzt…
The core of this vulnerability lies in three admin-only JSON endpoints: objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php. These endpoints lack proper CSRF protection, relying solely on role checks. An attacker can craft malicious links or embed them in websites to trick authenticated administrators into unknowingly executing these requests. Successful exploitation could allow an attacker to add, delete, or modify categories, and execute update scripts, potentially compromising the integrity of the AVideo installation and the underlying data. The omission of CSRF checks, when compared to similar endpoints, highlights a clear oversight in the security implementation.
Ausnutzungskontextwird übersetzt…
CVE-2026-40926 was published on 2026-04-21. The vulnerability's relatively straightforward exploitation path and the potential for significant impact suggest a medium probability of exploitation. No public Proof-of-Concept (PoC) code has been identified at the time of writing, but the lack of CSRF protection in these critical admin endpoints makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS.
Bedrohungsanalyse
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Keine — kein Vertraulichkeitseinfluss.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Niedrig — partieller oder intermittierender Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workaroundswird übersetzt…
The primary mitigation for CVE-2026-40926 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoints (objects/categoryAddNew.json.php, objects/categoryDelete.json.php, objects/pluginRunUpdateScript.json.php) that do not include a valid CSRF token. Additionally, ensure that administrators are educated about the risks of clicking on suspicious links and opening untrusted emails. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoints in a controlled environment and verifying that CSRF protection is now enforced.
So behebenwird übersetzt…
Actualice el plugin AVideo a la versión 29.1 o superior para mitigar la vulnerabilidad de CSRF. Esta actualización implementa las verificaciones necesarias para proteger contra la creación, actualización o eliminación no autorizada de categorías y la ejecución de scripts de actualización de plugins.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-40926 — CSRF in AVideo?
CVE-2026-40926 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 1.0.0 through 29.0. It allows attackers to perform actions as an administrator without their consent via crafted requests.
Am I affected by CVE-2026-40926 in AVideo?
If you are running AVideo version 1.0.0 through 29.0, you are potentially affected by this vulnerability. Upgrade to version 29.1 or later to mitigate the risk.
How do I fix CVE-2026-40926 in AVideo?
The recommended fix is to upgrade AVideo to version 29.1 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable endpoints without a valid CSRF token.
Is CVE-2026-40926 being actively exploited?
While no public Proof-of-Concept (PoC) code has been identified, the vulnerability's nature makes it a potential target for exploitation. Continuous monitoring is recommended.
Where can I find the official AVideo advisory for CVE-2026-40926?
Refer to the AVideo official website and security advisories for the most up-to-date information regarding CVE-2026-40926 and the recommended remediation steps.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.