平台
php
组件
avideo
修复版本
29.0.1
CVE-2026-40926 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in AVideo. This flaw allows an attacker to perform actions as an authenticated administrator without their knowledge, potentially leading to unauthorized modifications of the system. The vulnerability impacts versions 1.0.0 through 29.0 and has been resolved in version 29.1.
The core of this vulnerability lies in three admin-only JSON endpoints: objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php. These endpoints lack proper CSRF protection, relying solely on role checks. An attacker can craft malicious links or embed them in websites to trick authenticated administrators into unknowingly executing these requests. Successful exploitation could allow an attacker to add, delete, or modify categories, and execute update scripts, potentially compromising the integrity of the AVideo installation and the underlying data. The omission of CSRF checks, when compared to similar endpoints, highlights a clear oversight in the security implementation.
CVE-2026-40926 was published on 2026-04-21. The vulnerability's relatively straightforward exploitation path and the potential for significant impact suggest a medium probability of exploitation. No public Proof-of-Concept (PoC) code has been identified at the time of writing, but the lack of CSRF protection in these critical admin endpoints makes it a likely target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS.
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-40926 is to upgrade AVideo to version 29.1 or later, which includes the necessary CSRF protection. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the vulnerable endpoints (objects/categoryAddNew.json.php, objects/categoryDelete.json.php, objects/pluginRunUpdateScript.json.php) that do not include a valid CSRF token. Additionally, ensure that administrators are educated about the risks of clicking on suspicious links and opening untrusted emails. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoints in a controlled environment and verifying that CSRF protection is now enforced.
Actualice el plugin AVideo a la versión 29.1 o superior para mitigar la vulnerabilidad de CSRF. Esta actualización implementa las verificaciones necesarias para proteger contra la creación, actualización o eliminación no autorizada de categorías y la ejecución de scripts de actualización de plugins.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-40926 is a Cross-Site Request Forgery (CSRF) vulnerability affecting AVideo versions 1.0.0 through 29.0. It allows attackers to perform actions as an administrator without their consent via crafted requests.
If you are running AVideo version 1.0.0 through 29.0, you are potentially affected by this vulnerability. Upgrade to version 29.1 or later to mitigate the risk.
The recommended fix is to upgrade AVideo to version 29.1 or later. As a temporary workaround, implement a WAF rule to block requests to the vulnerable endpoints without a valid CSRF token.
While no public Proof-of-Concept (PoC) code has been identified, the vulnerability's nature makes it a potential target for exploitation. Continuous monitoring is recommended.
Refer to the AVideo official website and security advisories for the most up-to-date information regarding CVE-2026-40926 and the recommended remediation steps.