CVE-2026-33649: CSRF in wwbn/avideo ≤26.0
Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-33649 describes a Cross-Site Request Forgery (CSRF) vulnerability within the wwbn/avideo component, affecting versions up to 26.0. This flaw allows an attacker to manipulate user group permissions without authentication, potentially granting them near-administrator privileges. The vulnerability stems from a lack of CSRF protection on a permission-setting endpoint and insecure cookie configurations, enabling silent privilege escalation.
Impact and Attack Scenarios
The impact of CVE-2026-33649 is significant due to the potential for privilege escalation. An attacker can craft a malicious webpage containing an <img> tag that, when visited by an authenticated administrator, will silently modify user group permissions. This allows the attacker to grant their own user group elevated privileges, effectively gaining near-administrator access to the system. The combination of missing CSRF protection and the session.cookie_samesite=None setting makes exploitation relatively straightforward, as the attacker can bypass same-site cookie restrictions. Successful exploitation could lead to unauthorized data access, modification, or deletion, and potentially complete system compromise.
Exploitation Context
CVE-2026-33649 was published on March 25, 2026. The vulnerability's severity is rated HIGH with a CVSS score of 8.1. Currently, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Threat Intelligence
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Package Information
- Last updated
- 29.0recently
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-33649 is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting access to the plugin/Permissions/setPermission.json.php endpoint to trusted users only. Additionally, review and tighten cookie security settings, ensuring that session.cookie_samesite is set to Lax or Strict to prevent cross-site cookie access. Implement a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoint with suspicious parameters. After upgrading, confirm the fix by attempting to trigger the permission modification via a crafted URL and verifying that the request is rejected or requires authentication.
How to fix
Actualizar AVideo a una versión parcheada que corrija la vulnerabilidad CSRF en el endpoint `plugin/Permissions/setPermission.json.php`. Dado que no hay versiones parcheadas disponibles al momento de la publicación, se recomienda monitorear las actualizaciones de seguridad de WWBN y aplicar el parche tan pronto como esté disponible. Como medida temporal, se puede implementar una validación CSRF en el endpoint afectado.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-33649 — CSRF in wwbn/avideo?
CVE-2026-33649 is a Cross-Site Request Forgery (CSRF) vulnerability in wwbn/avideo versions up to 26.0 that allows attackers to escalate privileges by silently modifying user group permissions.
Am I affected by CVE-2026-33649 in wwbn/avideo?
You are affected if you are using wwbn/avideo version 26.0 or earlier. Check your version and upgrade as soon as a patch is available.
How do I fix CVE-2026-33649 in wwbn/avideo?
The recommended fix is to upgrade to a patched version of wwbn/avideo that addresses the CSRF vulnerability. As a temporary workaround, restrict access to the vulnerable endpoint and review cookie security settings.
Is CVE-2026-33649 being actively exploited?
Currently, there are no publicly known Proof-of-Concept (POC) exploits or reports of active exploitation, but it's crucial to apply the patch proactively.
Where can I find the official wwbn/avideo advisory for CVE-2026-33649?
Refer to the official wwbn/avideo security advisories and release notes for details on the patch and any related information.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.