Plateforme
php
Composant
avideo
Corrigé dans
29.0.1
CVE-2026-40929 describes a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0. This flaw allows an attacker to delete comments belonging to authenticated users, such as site moderators, video owners, and comment authors, by crafting malicious requests. The vulnerability stems from the objects/commentDelete.json.php endpoint lacking proper CSRF validation, and a fix is available in version 29.1.
An attacker can exploit this CSRF vulnerability to maliciously delete comments on an AVideo platform. This could be used to silence legitimate users, disrupt discussions, or even deface a website by removing important content. Given AVideo's intended cross-origin embed player support (setting session.cookie_samesite=None), any attacker-controlled page can trigger the comment deletion, significantly broadening the attack surface. The impact is amplified for users with elevated privileges, such as moderators and video owners, as they have the authority to delete a larger number of comments.
CVE-2026-40929 was published on April 21, 2026. The vulnerability's severity is currently assessed as Medium (CVSS 5.4). There are no publicly known exploit kits or active campaigns targeting this specific vulnerability at the time of writing. The lack of CSRF protection is a common vulnerability pattern, and while no direct precedent is immediately apparent, similar CSRF flaws have been exploited in various web applications. The vulnerability is not listed on KEV or EPSS.
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-40929 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to objects/commentDelete.json.php that do not originate from the same origin. Additionally, ensure that the Origin and Referer headers are properly validated on the server-side. While not a complete solution, these workarounds can reduce the immediate risk. After upgrading, confirm the fix by attempting to trigger a comment deletion from an external website – the request should be rejected.
Actualice AVideo a la versión 29.1 o superior para mitigar la vulnerabilidad. La actualización corrige la falta de validación CSRF en el endpoint `objects/commentDelete.json.php`, previniendo la eliminación masiva de comentarios por parte de atacantes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-40929 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 1.0.0 through 29.0. It allows attackers to delete comments without proper CSRF protection, potentially disrupting user interactions and defacing websites.
If you are running AVideo version 1.0.0 through 29.0, you are potentially affected by this vulnerability. Check your AVideo version and upgrade as soon as possible.
The recommended fix is to upgrade AVideo to version 29.1 or later. This version includes the necessary CSRF protection to mitigate the vulnerability.
As of the current assessment, there are no publicly known active campaigns exploiting CVE-2026-40929. However, it's crucial to apply the fix promptly to prevent potential future exploitation.
Refer to the official AVideo security advisory for detailed information and updates regarding CVE-2026-40929. Check the AVideo website or relevant security mailing lists for the latest announcements.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.