Plattform
php
Komponente
avideo
Behoben in
26.0.1
CVE-2026-35180 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting WWBN AVideo, an open-source video platform. This flaw allows attackers to potentially overwrite the platform's logo with malicious content. The vulnerability impacts versions 1.0.0 up to and including 26.0, and a fix is available in version 26.1.
An attacker can exploit this CSRF vulnerability by crafting a malicious request that, when triggered by a logged-in administrator, will overwrite the platform's logo with content controlled by the attacker. This could involve replacing the logo with a phishing image, a malicious advertisement, or other content designed to mislead users or compromise the platform's branding. The SameSite=None cookie policy exacerbates the risk by allowing cross-origin POST requests. While the immediate impact is primarily cosmetic, it can be a stepping stone for further attacks or damage the platform's reputation and user trust.
This vulnerability was publicly disclosed on 2026-04-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the lack of CSRF protection make exploitation relatively straightforward. It is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation.
Organizations and individuals using WWBN AVideo versions 1.0.0 through 26.0 are at risk, particularly those with publicly accessible admin interfaces or those who have not implemented robust access controls to the admin panel. Shared hosting environments where multiple users share the same AVideo instance are also at increased risk.
• php: Examine access logs for POST requests to /admin/customizesettingsnativeUpdate.json.php originating from unexpected sources or without proper CSRF tokens.
grep -i 'POST /admin/customize_settings_nativeUpdate.json.php' access.log | grep -i 'Referer:'disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35180 is to upgrade AVideo to version 26.1 or later, which includes the necessary CSRF token validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /admin/customizesettingsnativeUpdate.json.php endpoint that lack a valid CSRF token. Additionally, review and restrict access to the admin interface to minimize the attack surface. Monitor access logs for suspicious POST requests to this endpoint.
Aktualisieren Sie AVideo auf Version 26.1 oder höher, um die CSRF-Schwachstelle zu beheben. Dieses Update implementiert die CSRF-Token-Validierung am Site Customization Endpoint und verhindert so die Überschreibung des Logos mit vom Angreifer kontrolliertem Inhalt.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35180 is a Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo versions 1.0.0 through 26.0, allowing attackers to potentially overwrite the platform's logo.
Yes, if you are using WWBN AVideo versions 1.0.0 through 26.0, you are potentially affected by this vulnerability.
Upgrade AVideo to version 26.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation.
Refer to the WWBN AVideo security advisories on their official website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.