平台
php
组件
avideo
修复版本
26.0.1
CVE-2026-34394 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in AVideo, an open-source video platform. This flaw allows attackers to manipulate plugin settings within the admin interface, potentially leading to unauthorized modifications and control. The vulnerability impacts versions 26.0 and earlier. A fix is available in a later, unconfirmed version.
The core of this vulnerability lies in the lack of CSRF token validation within the admin/save.json.php endpoint. An attacker can craft malicious web pages that, when visited by an authenticated administrator, will silently submit forged POST requests to AVideo. Because the application uses SameSite=None cookies, this allows cross-origin requests. This can be exploited to modify plugin configurations, potentially enabling attackers to inject malicious code, redirect users, or compromise the entire platform. The ignoreTableSecurityCheck() array in objects/Object.php further complicates the situation, as it allows manipulation of plugin tables.
This vulnerability was publicly disclosed on 2026-03-31. There are currently no known public proof-of-concept exploits. The CVSS score of 8.1 (HIGH) indicates a significant risk. It is not currently listed on the CISA KEV catalog. The lack of a public exploit does not diminish the risk, as the vulnerability is relatively straightforward to exploit.
Administrators of AVideo installations running versions 26.0 and earlier are at significant risk. Shared hosting environments where multiple users share the same AVideo instance are particularly vulnerable, as an attacker could potentially compromise the entire hosting account. Users who have not implemented robust security practices, such as regular security audits and plugin updates, are also at increased risk.
• php: Examine web server access logs for suspicious POST requests to admin/save.json.php originating from unfamiliar sources.
• php: Search plugin files for instances of ignoreTableSecurityCheck() and assess the security implications of the included tables.
• generic web: Monitor network traffic for POST requests to admin/save.json.php with unusual or unexpected data payloads.
• generic web: Check response headers for SameSite=None cookie policy and assess its potential impact on CSRF vulnerabilities.
disclosure
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
The primary mitigation is to upgrade to a patched version of AVideo. Until a patched version is available, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to block suspicious POST requests to the admin/save.json.php endpoint. Carefully review and restrict plugin access and permissions. Consider implementing stricter input validation and output encoding within the application to reduce the attack surface. After upgrading, confirm the fix by attempting to submit a forged POST request to the admin/save.json.php endpoint and verifying that the request is rejected.
Actualice AVideo a una versión posterior a la 26.0, una vez que se publique una versión corregida. Actualmente no hay parches disponibles, por lo que se recomienda monitorear las actualizaciones de seguridad de WWBN AVideo. Como medida temporal, se puede implementar una validación CSRF personalizada en el endpoint admin/save.json.php.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34394 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions up to 26.0, allowing attackers to modify plugin settings.
Yes, if you are running AVideo version 26.0 or earlier, you are vulnerable to this CSRF attack.
Upgrade to a patched version of AVideo. Until then, implement WAF rules and restrict plugin access.
There are currently no known active exploits, but the vulnerability is considered high severity.
Refer to the AVideo project's official website and security advisories for updates and mitigation guidance.
CVSS 向量