Scanner gratuitement
HIGHCVE-2026-33479CVSS 8.8

AVideo présente une injection de code PHP via eval() dans Gallery saveSort.json.php, exploitable via CSRF contre l'administrateur

Plateforme

php

Composant

wwbn/avideo

Corrigé dans

26.0.1

26.0.1

AI Confidence: highNVDEPSS 0.1%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2026-33479 describes a critical Cross-Site Request Forgery (CSRF) vulnerability discovered in the AVideo Gallery plugin for PHP. This flaw allows an attacker to execute arbitrary code on a server if an administrator visits a malicious webpage. The vulnerability impacts versions of the plugin up to 26.0, and a patch is expected to be released by the vendor.

Impact et Scénarios d'Attaquetraduction en cours…

The core of the vulnerability lies within the saveSort.json.php endpoint, which handles sorting of gallery sections. This endpoint directly incorporates unsanitized user-supplied data from the $_REQUEST['sections'] array into PHP's eval() function. While access to this endpoint is restricted to administrators via User::isAdmin(), the lack of CSRF protection is a significant oversight. AVideo's configuration of SameSite=None for session cookies further exacerbates the issue, allowing attackers to forge requests from a different origin. Successful exploitation results in unauthenticated Remote Code Execution (RCE), granting the attacker complete control over the affected server. This is a high-impact vulnerability with the potential for significant data breaches, system compromise, and further lateral movement within the network.

Contexte d'Exploitationtraduction en cours…

While no public exploits have been released, the vulnerability's ease of exploitation and the potential for RCE make it a high-priority target. The use of eval() with unsanitized user input is a well-known security risk, and the combination with CSRF and SameSite=None cookies significantly increases the attack surface. The vulnerability was publicly disclosed on 2026-03-20. It is recommended to monitor security advisories and threat intelligence feeds for any signs of active exploitation.

Qui Est à Risquetraduction en cours…

Websites utilizing the AVideo Gallery plugin, particularly those with administrator accounts that frequently browse external websites, are at significant risk. Shared hosting environments where multiple websites share the same server are also vulnerable, as a compromise of one website could potentially lead to the compromise of others. Legacy configurations with outdated versions of the plugin are especially susceptible.

Étapes de Détectiontraduction en cours…

• php / wordpress:

grep -r 'eval($_REQUEST' /var/www/html/plugin/Gallery/view/

• php / wordpress:

find /var/www/html/plugin/Gallery/view/ -name 'saveSort.json.php' -print

• generic web:

curl -I https://your-website.com/plugin/Gallery/view/saveSort.json.php | grep 'SameSite'

Chronologie de l'Attaque

  1. Disclosure

    disclosure

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée
Rapports3 rapports de menace

EPSS

0.14% (percentile 34%)

CISA SSVC

Exploitationpoc
Automatisableno
Impact Techniquetotal

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredNoneNiveau d'authentification requisUser InteractionRequiredSi une action de la victime est requiseScopeUnchangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Aucun — sans authentification. Aucune identifiant requis pour exploiter.
User Interaction
Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
Scope
Inchangé — impact limité au composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantwwbn/avideo
Fournisseurosv
Plage affectéeCorrigé dans
<= 26.0 – <= 26.026.0.1
26.026.0.1

Informations sur le paquet

Dernière mise à jour
29.0récemment

Classification de Faiblesse (CWE)

CWE-94

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour
Sans correctif — 65 jours depuis la divulgation

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2026-33479 is to upgrade to a patched version of the AVideo Gallery plugin as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests to the saveSort.json.php endpoint or to filter requests containing suspicious patterns in the sections parameter. Restrict administrator access to only necessary resources and enforce strict input validation on all user-supplied data. Monitor server logs for unusual activity, particularly requests to the vulnerable endpoint. After upgrading, confirm the fix by attempting a CSRF attack against the saveSort.json.php endpoint and verifying that the request is rejected.

Comment corrigertraduction en cours…

Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se corrige en el commit 087dab8841f8bdb54be184105ef19b47c5698fcb. Esto evitará la inyección de código PHP a través de la función eval() en el plugin Gallery.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2026-33479 — CSRF in AVideo Gallery Plugin?

CVE-2026-33479 is a critical CSRF vulnerability in the AVideo Gallery plugin for PHP, allowing unauthenticated RCE via crafted requests to the saveSort.json.php endpoint.

Am I affected by CVE-2026-33479 in AVideo Gallery Plugin?

You are affected if you are using AVideo Gallery plugin versions 26.0 or earlier. Administrators are particularly at risk.

How do I fix CVE-2026-33479 in AVideo Gallery Plugin?

Upgrade to a patched version of the AVideo Gallery plugin as soon as it is available. Implement WAF rules and restrict administrator access as temporary mitigations.

Is CVE-2026-33479 being actively exploited?

While no public exploits are currently known, the vulnerability's ease of exploitation makes it a high-priority target. Monitor security advisories for updates.

Where can I find the official AVideo advisory for CVE-2026-33479?

Refer to the AVideo project's official website and security advisories for updates and the latest patch information.

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE