Platform
php
Component
avideo
Fixed in
26.0.1
CVE-2026-35181 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in AVideo, an open-source video platform. This flaw allows an attacker to modify the video player's appearance across the entire platform by exploiting the unprotected admin/playerUpdate.json.php endpoint. The vulnerability affects versions 0.0.0 up to and including 26.0, and a fix is available in version 26.1.
The primary impact of CVE-2026-35181 is the ability for an attacker to alter the visual appearance of the video player on the AVideo platform. While this might seem primarily aesthetic, it can be leveraged for phishing attacks, brand impersonation, or to inject malicious content into the player's interface. The ignoreTableSecurityCheck() function, combined with SameSite=None cookies, bypasses existing security measures, making exploitation relatively straightforward. A successful attack could damage the platform's reputation and potentially lead to user confusion or distrust. The lack of CSRF protection on the player skin configuration endpoint represents a significant security oversight.
This vulnerability was publicly disclosed on 2026-04-06. There are currently no known public proof-of-concept exploits available, but the vulnerability's simplicity suggests that one could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential for widespread impact, it is considered a moderate risk.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-35181 is to immediately upgrade AVideo to version 26.1 or later, which includes the necessary CSRF protection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /admin/playerUpdate.json.php endpoint that lack a valid CSRF token. Additionally, ensure that your AVideo deployment utilizes the SameSite=Strict cookie attribute to mitigate the risk of cross-origin requests. After upgrading, verify the fix by attempting to submit a crafted POST request to /admin/playerUpdate.json.php from a different origin; the request should be rejected.
Update AVideo to version 26.1 or higher to mitigate the CSRF vulnerability. This update corrects the lack of CSRF token validation in the player skin configuration endpoint, preventing unauthorized modifications to the video player appearance.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35181 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 0.0.0 through 26.0, allowing attackers to modify the video player's appearance.
If you are running AVideo version 0.0.0 through 26.0, you are potentially affected by this vulnerability. Upgrade to version 26.1 or later to mitigate the risk.
The recommended fix is to upgrade AVideo to version 26.1 or later. As a temporary workaround, implement a WAF rule to block unauthorized requests to /admin/playerUpdate.json.php.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it could be exploited.
Refer to the AVideo project's official website and security advisories for the latest information and updates regarding CVE-2026-35181.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.