प्लेटफ़ॉर्म
php
घटक
avideo
में ठीक किया गया
29.0.1
CVE-2026-40925 describes a Cross-Site Request Forgery (CSRF) vulnerability within the objects/configurationUpdate.json.php endpoint of AVideo. This flaw allows an attacker to modify critical site configurations, potentially gaining unauthorized access and control. The vulnerability impacts AVideo versions 1.0.0 up to and including 29.0, and a fix is available in version 29.1.
The primary impact of CVE-2026-40925 is the ability for an attacker to remotely modify AVideo's site configuration. Because the endpoint lacks proper CSRF protection, a malicious website can craft a POST request that, when visited by an authenticated administrator, will silently update the site's settings. This includes sensitive information like encoder URLs, SMTP credentials, and other global configurations. Successful exploitation could lead to unauthorized video encoding, email spoofing, and ultimately, complete compromise of the AVideo instance. The session.cookie_samesite=None setting, intentionally enabled for cross-origin iframe embedding, exacerbates the vulnerability by allowing cross-origin POST requests, making exploitation significantly easier.
CVE-2026-40925 was published on 2026-04-21. Its severity is rated HIGH (CVSS 8.3). There are currently no publicly known active campaigns exploiting this vulnerability. The lack of a globalToken and the reliance on User::isAdmin() for authorization, combined with the permissive Origin header handling, mirrors patterns seen in other CSRF vulnerabilities, but no direct precedent is immediately apparent. The vulnerability is not listed on KEV or EPSS at this time.
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-40925 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing a temporary workaround by restricting access to the /updateConfig endpoint to trusted origins only. This can be achieved through web application firewall (WAF) rules or proxy configurations that enforce strict Origin header validation. Additionally, monitor AVideo logs for suspicious POST requests to the /updateConfig endpoint, looking for unexpected changes in configuration values. After upgrading, confirm the fix by attempting a cross-origin POST request to /updateConfig from a different domain; the request should be rejected.
इस भेद्यता को कम करने के लिए AVideo को संस्करण 29.1 या उच्चतर में अपडेट करें। यह अपडेट POST अनुरोधों के उचित सत्यापन को लागू करता है, जिससे CSRF हमलों के माध्यम से साइट कॉन्फ़िगरेशन के अनधिकृत संशोधन को रोका जा सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40925 is a Cross-Site Request Forgery (CSRF) vulnerability in AVideo versions 1.0.0 through 29.0. It allows attackers to modify site configurations via a POST request, potentially compromising the entire AVideo instance.
You are affected if you are running AVideo versions 1.0.0 through 29.0 and have not yet upgraded. The vulnerability is easily exploitable due to the lack of CSRF protection on the configuration update endpoint.
Upgrade AVideo to version 29.1 or later. As a temporary workaround, restrict access to the /updateConfig endpoint using a WAF or proxy to enforce Origin header validation.
As of the publication date, there are no publicly known active campaigns exploiting CVE-2026-40925. However, the vulnerability's ease of exploitation warrants immediate attention and remediation.
Refer to the AVideo security advisory published on 2026-04-21 for detailed information and remediation steps. Check the AVideo website or their official communication channels for the latest updates.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।