Plattform
php
Komponente
avideo
Behoben in
26.0.1
CVE-2026-35181 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in AVideo, an open-source video platform. This flaw allows an attacker to modify the video player's appearance across the entire platform by exploiting the unprotected admin/playerUpdate.json.php endpoint. The vulnerability affects versions 0.0.0 up to and including 26.0, and a fix is available in version 26.1.
The primary impact of this CSRF vulnerability lies in the ability of an attacker to manipulate the visual presentation of the AVideo platform. By crafting malicious requests, an attacker can alter the video player's skin, potentially injecting unwanted branding, misleading content, or even malicious scripts. This could damage the platform's reputation, confuse users, or serve as a stepping stone for further attacks. The ignoreTableSecurityCheck() function bypasses the ORM's security checks, amplifying the potential impact. Combined with SameSite=None cookies, the vulnerability can be exploited from cross-origin domains.
This vulnerability was publicly disclosed on 2026-04-06. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively straightforward nature of CSRF exploitation and the public disclosure, it is reasonable to expect that attackers may begin actively targeting vulnerable AVideo installations.
Organizations and individuals using AVideo for hosting and streaming video content are at risk. Specifically, deployments with weak cookie security settings (SameSite=None) are more vulnerable. Shared hosting environments where multiple users share the same AVideo instance are also at increased risk, as an attacker could potentially exploit the vulnerability on behalf of another user.
• php: Examine web server access logs for suspicious POST requests to /admin/playerUpdate.json.php originating from unexpected IP addresses.
grep -i 'playerUpdate.json.php' /var/log/apache2/access.log | grep -i 'POST' | grep -v '127.0.0.1'• php: Review AVideo configuration files for any instances of ignoreTableSecurityCheck() that might be disabling security checks.
grep -r ignoreTableSecurityCheck /var/www/avideo/• generic web: Monitor for unusual changes in the video player's appearance across the platform, which could indicate a successful CSRF attack.
disclosure
Exploit-Status
EPSS
0.02% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to immediately upgrade AVideo to version 26.1 or later, which includes the necessary CSRF token validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy rules to filter requests to the admin/playerUpdate.json.php endpoint, specifically blocking requests without valid CSRF tokens. Additionally, ensure that the SameSite cookie attribute is set to Strict or Lax to prevent cross-origin requests from triggering the vulnerability. Verify the upgrade by attempting to modify the player skin through a different browser session without authentication; the request should be rejected.
Aktualisieren Sie AVideo auf Version 26.1 oder höher, um die CSRF-Schwachstelle zu beheben. Dieses Update behebt das Fehlen der CSRF-Token-Validierung am Endpunkt für die Konfiguration der Player-Skin-Datei und verhindert so unautorisierte Änderungen am Aussehen des Video-Players.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35181 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 0.0.0 through 26.0, allowing attackers to modify the video player's appearance.
If you are running AVideo version 0.0.0 through 26.0, you are potentially affected by this vulnerability. Upgrade to version 26.1 or later to mitigate the risk.
The recommended fix is to upgrade AVideo to version 26.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized requests to /admin/playerUpdate.json.php.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the AVideo project's official website and security advisories for the latest information and updates regarding CVE-2026-35181.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.