Platform
php
Component
wwbn/avideo
Fixed in
26.0.1
26.0.1
CVE-2026-34611 describes a Cross-Site Request Forgery (CSRF) vulnerability within the objects/emailAllUsers.json.php endpoint of the wwbn/avideo platform. This flaw allows an attacker to craft malicious HTML emails and send them to every registered user, impersonating the instance's legitimate SMTP address. The vulnerability affects versions of wwbn/avideo up to and including 26.0, and a fix is available via platform upgrade.
The primary impact of CVE-2026-34611 is the ability for an attacker to send arbitrary HTML emails to all users of the AVideo platform. This could be leveraged for phishing attacks, spreading malware, or defacing the platform's reputation. Because the emails appear to originate from the legitimate SMTP address, users are more likely to trust them, increasing the likelihood of successful exploitation. The SameSite=None cookie setting exacerbates the risk, as it allows cross-origin requests to include the administrator's session cookie, effectively bypassing CSRF protection. A successful attack could result in widespread user compromise and significant reputational damage to the AVideo platform.
CVE-2026-34611 was publicly disclosed on 2026-04-01. There is no indication of active exploitation at this time, nor is it listed on the CISA KEV catalog. Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the potential for future attacks.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-34611 is to upgrade to a patched version of wwbn/avideo. If an immediate upgrade is not possible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests to the objects/emailAllUsers.json.php endpoint that lack a valid CSRF token. Additionally, enforce stricter session management policies, such as requiring multi-factor authentication for administrators and implementing short session timeouts. Regularly review and audit administrator activity to detect any suspicious behavior. After upgrading, confirm the fix by attempting to trigger the email functionality from a separate browser session without administrator credentials; the request should be rejected.
Update AVideo to a version later than 26.0 when a patch is available. As a temporary measure, implement a CSRF validation on the objects/emailAllUsers.json.php endpoint to prevent Cross-Site Request Forgery attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34611 is a Cross-Site Request Forgery (CSRF) vulnerability in the objects/emailAllUsers.json.php endpoint of wwbn/avideo, allowing attackers to send malicious emails to all users.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. Upgrade to a patched version as soon as possible.
The primary fix is to upgrade to a patched version of wwbn/avideo. As a temporary workaround, implement WAF rules and stricter session management policies.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official wwbn/avideo security advisories for the most up-to-date information and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.