Plattform
php
Komponente
avideo
Behoben in
29.0.1
CVE-2026-40929 describes a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0. This flaw allows an attacker to delete comments belonging to authenticated users, such as site moderators, video owners, and comment authors, by crafting malicious requests. The vulnerability stems from the objects/commentDelete.json.php endpoint lacking proper CSRF validation, and a fix is available in version 29.1.
An attacker can leverage this CSRF vulnerability to maliciously delete comments on AVideo videos. This can disrupt discussions, remove valuable content, and potentially damage the reputation of the website. Given AVideo's intentional configuration of session.cookie_samesite=None to support cross-origin embed players, any attacker-controlled page can automatically carry the victim's PHPSESSID, simplifying exploitation. The impact is amplified for users with elevated privileges, such as site moderators, video owners, and comment authors, as they have the authority to delete comments. This vulnerability could be exploited to silence dissenting voices or manipulate the narrative surrounding a video.
CVE-2026-40929 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's simplicity suggests a high likelihood of PoC development. The vulnerability is not currently listed on CISA KEV. The lack of CSRF protection in a state-mutating endpoint is a common attack vector, and this vulnerability shares similarities with other CSRF exploits targeting web applications.
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40929 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to objects/commentDelete.json.php that do not originate from the same origin. Additionally, ensure that users are educated about the risks of clicking on suspicious links or visiting untrusted websites. Review AVideo's configuration to ensure that session.cookie_samesite=None is only enabled when absolutely necessary and that other CSRF mitigation techniques are in place.
Aktualisieren Sie AVideo auf Version 29.1 oder höher, um die Verwundbarkeit zu beheben. Das Update behebt den fehlenden CSRF-Schutz im Endpunkt `objects/commentDelete.json.php` und verhindert so die Massenlöschung von Kommentaren durch Angreifer.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40929 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 1.0.0 through 29.0. It allows attackers to delete comments without proper CSRF protection, potentially disrupting user interactions and defacing websites.
If you are running AVideo version 1.0.0 through 29.0, you are potentially affected by this vulnerability. Check your AVideo version and upgrade as soon as possible.
The recommended fix is to upgrade AVideo to version 29.1 or later. This version includes the necessary CSRF protection to mitigate the vulnerability.
As of the current assessment, there are no publicly known active campaigns exploiting CVE-2026-40929. However, it's crucial to apply the fix promptly to prevent potential future exploitation.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-40929. Check the AVideo website or relevant security mailing lists for the latest announcements.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.