Scan free
MEDIUMCVE-2026-40928CVSS 5.4

CVE-2026-40928: CSRF in AVideo 1.0.0–29.0

Platform

php

Component

avideo

Fixed in

29.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-40928 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 1.0.0 through 29.0. This flaw allows an attacker to perform actions on behalf of an authenticated user without their knowledge, potentially leading to unauthorized modifications of content and user data. The vulnerability stems from a lack of CSRF protection on several JSON endpoints within the objects/ directory. A fix is available in version 29.1.

Impact and Attack Scenarios

The impact of CVE-2026-40928 is significant due to the ease of exploitation and the potential for widespread impact. An attacker could craft a malicious webpage that, when visited by a logged-in AVideo user, silently executes actions such as altering comment likes/dislikes, posting comments with attacker-controlled text, and even deleting assets if the user possesses the necessary permissions. This could result in reputational damage, data manipulation, and disruption of service. The ability to post comments as the victim opens the door for phishing attacks and spreading misinformation. The blast radius extends to all users of affected AVideo installations, particularly those with administrative or content management privileges.

Exploitation Context

CVE-2026-40928 was published on 2026-04-21. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation. No public Proof-of-Concept (PoC) code has been publicly released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on KEV or associated with any known active exploitation campaigns. Refer to the official AVideo advisory for further details.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L5.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentavideo
VendorWWBN
Affected rangeFixed in
<= 29.0 – <= 29.029.0.1
29.0

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-40928 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protections. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, and adding referer checks to the vulnerable endpoints. Web Application Firewalls (WAFs) can be configured to detect and block suspicious requests targeting the affected JSON endpoints. After upgrading, verify the fix by attempting to trigger the vulnerable actions from a different browser session or incognito window to confirm that CSRF protection is now in place.

How to fix

Actualice el plugin AVideo a la versión 29.1 o superior para mitigar la vulnerabilidad. Esta actualización implementa medidas de seguridad para prevenir la manipulación de comentarios, votos y la eliminación de activos a través de solicitudes CSRF.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40928 — CSRF in AVideo?

CVE-2026-40928 is a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0, allowing attackers to perform actions as logged-in users without their consent.

Am I affected by CVE-2026-40928 in AVideo?

If you are using AVideo versions 1.0.0 through 29.0, you are potentially affected by this vulnerability. Upgrade to version 29.1 or later to mitigate the risk.

How do I fix CVE-2026-40928 in AVideo?

The recommended fix is to upgrade AVideo to version 29.1 or later. As a temporary workaround, implement CSP headers and referer checks.

Is CVE-2026-40928 being actively exploited?

No public exploitation campaigns have been reported as of this writing, but the vulnerability's ease of exploitation suggests a potential risk.

Where can I find the official AVideo advisory for CVE-2026-40928?

Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-40928.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs