MEDIUMCVE-2026-35180CVSS 4.3

CVE-2026-35180: CSRF in WWBN AVideo Platform

Q: What is CVE-2026-35180 — CSRF in WWBN AVideo?

CVE-2026-35180 is a Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo versions 1.0.0 through 26.0, allowing attackers to potentially overwrite the platform's logo.

Q: Am I affected by CVE-2026-35180 in WWBN AVideo?

Yes, if you are using WWBN AVideo versions 1.0.0 through 26.0, you are potentially affected by this vulnerability.

Q: How do I fix CVE-2026-35180 in WWBN AVideo?

Upgrade AVideo to version 26.1 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Q: Is CVE-2026-35180 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation.

Q: Where can I find the official WWBN AVideo advisory for CVE-2026-35180?

Refer to the WWBN AVideo security advisories on their official website or GitHub repository for the latest information.

Platform

php

Component

avideo

Fixed in

26.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-35180 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting WWBN AVideo, an open-source video platform. This flaw allows attackers to potentially overwrite the platform's logo with malicious content. The vulnerability impacts versions 1.0.0 up to and including 26.0, and a fix is available in version 26.1.

Impact and Attack Scenarios

An attacker can exploit this CSRF vulnerability by crafting a malicious request that, when triggered by a logged-in administrator, will overwrite the platform's logo with content controlled by the attacker. This could involve replacing the logo with a phishing image, a malicious advertisement, or other content designed to mislead users or compromise the platform's branding. The SameSite=None cookie policy exacerbates the risk by allowing cross-origin POST requests. While the immediate impact is primarily cosmetic, it can be a stepping stone for further attacks or damage the platform's reputation and user trust.

Exploitation Context

This vulnerability was publicly disclosed on 2026-04-06. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the lack of CSRF protection make exploitation relatively straightforward. It is not currently listed on the CISA KEV catalog. The CVSS score of 4.3 (MEDIUM) indicates a moderate risk of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.02% (3% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentavideo

VendorWWBN

Affected rangeFixed in

<= 26.0 – <= 26.026.0.1

Weakness Classification (CWE)

CWE-352

Timeline

Reserved2026-04-01
Published2026-04-06
Modified2026-04-07
EPSS updated2026-04-14

Mitigation and Workarounds

The primary mitigation for CVE-2026-35180 is to upgrade AVideo to version 26.1 or later, which includes the necessary CSRF token validation. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /admin/customizesettingsnativeUpdate.json.php endpoint that lack a valid CSRF token. Additionally, review and restrict access to the admin interface to minimize the attack surface. Monitor access logs for suspicious POST requests to this endpoint.

How to fix

Update AVideo to version 26.1 or higher to mitigate the CSRF vulnerability. This update implements CSRF token validation in the site customization endpoint, preventing logo overwrites with attacker-controlled content.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35180 — CSRF in WWBN AVideo?