26.0.1
26.0.1
CVE-2026-34613 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting wwbn/avideo versions up to 26.0. This flaw allows an attacker to disable critical security plugins within the AVideo platform, potentially compromising user authentication and access controls. The vulnerability stems from insufficient CSRF token validation in the objects/pluginSwitch.json.php endpoint and bypasses ORM-level security checks. A fix is available; upgrading to a patched version is recommended.
The primary impact of CVE-2026-34613 is the ability for an attacker to remotely disable security plugins within the AVideo platform. This can be achieved without requiring prior authentication beyond an active administrator session. The objects/pluginSwitch.json.php endpoint, responsible for plugin management, lacks proper CSRF protection. Furthermore, the explicit listing of the plugins table in ignoreTableSecurityCheck() bypasses ORM-level Referer/Origin domain validation, amplifying the attack surface. The SameSite=None attribute on session cookies further facilitates exploitation by allowing cross-domain requests. Disabling plugins like LoginControl (2FA), subscription enforcement, or access control mechanisms can lead to unauthorized access, data breaches, and complete system compromise. Successful exploitation could result in a significant loss of data integrity and confidentiality.
CVE-2026-34613 was publicly disclosed on 2026-04-01. The vulnerability's severity is currently assessed as MEDIUM (CVSS 6.5). There is no indication of this vulnerability being added to the CISA KEV catalog at this time. The absence of a public proof-of-concept (POC) does not diminish the risk, as the vulnerability's nature makes it relatively straightforward to exploit. Active campaigns targeting this vulnerability are not currently known, but the ease of exploitation warrants proactive mitigation.
Organizations utilizing wwbn/avideo for video management and streaming, particularly those with administrator accounts and deployed plugins for authentication, subscription management, or access control, are at risk. Shared hosting environments where multiple users share the same AVideo instance are especially vulnerable, as an attacker could potentially exploit the vulnerability on behalf of another user.
• php: Examine the objects/pluginSwitch.json.php file for missing CSRF token validation. Search for the ignoreTableSecurityCheck() function call and its impact on ORM security checks.
grep -r 'ignoreTableSecurityCheck' /path/to/avideo• php: Monitor access logs for requests to objects/pluginSwitch.json.php originating from unexpected or unauthorized sources.
grep 'pluginSwitch.json.php' /var/log/apache2/access.log• generic web: Check session cookie attributes for SameSite=None. This configuration increases the risk of CSRF attacks.
curl -I https://your-avideo-site.com | grep Set-Cookiedisclosure
漏洞利用状态
EPSS
0.02% (3% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34613 is to upgrade to a patched version of wwbn/avideo. Unfortunately, the specific fixed version is not provided. If upgrading immediately is not feasible, consider implementing temporary workarounds. Implement strict input validation and output encoding on all user-supplied data to minimize the risk of CSRF attacks. Consider using a Web Application Firewall (WAF) with CSRF protection rules to block malicious requests. Review and restrict access to the objects/pluginSwitch.json.php endpoint, limiting access to trusted administrators only. Monitor AVideo logs for suspicious activity, particularly requests to disable plugins. After upgrading, confirm the fix by attempting a CSRF attack against the objects/pluginSwitch.json.php endpoint and verifying that the request is rejected.
升级 AVideo 到 26.0 版本之后的版本,其中已在 objects/pluginSwitch.json.php 端点上实施 CSRF token 验证。这将防止攻击者通过 CSRF 攻击禁用关键安全插件。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34613 is a CSRF vulnerability in wwbn/avideo versions up to 26.0, allowing attackers to disable security plugins.
If you are running wwbn/avideo version 26.0 or earlier, you are potentially affected by this vulnerability.
Upgrade to a patched version of wwbn/avideo. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and input validation.
While there are no confirmed reports of active exploitation, the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the wwbn/avideo security advisories for the latest information and official guidance on CVE-2026-34613.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。