CVE-2026-33479
Received Received - Intake
Remote Code Execution via CSRF in WWBN AVideo Gallery Plugin

Publication date: 2026-03-23

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution β€” requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-23
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33479
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-33479 is a high-severity vulnerability in the Gallery plugin of the WWBN AVideo platform. The vulnerability exists because the saveSort.json.php endpoint takes unsanitized user input from the 'sections' array and passes it directly into PHP's eval() function. Although this endpoint is restricted to admin users, it lacks Cross-Site Request Forgery (CSRF) protection. Because the session cookies are configured with SameSite=None, an attacker can exploit this by tricking an authenticated admin into visiting a malicious page that submits a crafted request, leading to remote code execution on the server."}, {'type': 'paragraph', 'content': 'In essence, the vulnerability allows an attacker to execute arbitrary PHP code on the server without authentication, by exploiting the combination of missing CSRF tokens, unsafe use of eval(), and the session cookie configuration.'}] [2]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including remote code execution (RCE) on the server hosting the AVideo platform. An attacker can gain full control over the server, potentially accessing the file system, databases, and installing backdoors.

  • Full server compromise
  • Unauthorized access to sensitive data
  • Ability to execute arbitrary commands on the server
  • Potential lateral movement within the network
  • Stealthy attacks requiring only that an admin visits a malicious page

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the vulnerable endpoint and monitoring for suspicious POST requests to it.'}, {'type': 'list_item', 'content': 'Look for POST requests to the endpoint `saveSort.json.php` within the Gallery plugin directory.'}, {'type': 'list_item', 'content': 'Check if the requests contain the `sections` parameter with unusual or suspicious values that could be PHP code injection attempts.'}, {'type': 'list_item', 'content': 'Monitor web server logs for POST requests to `plugin/Gallery/view/saveSort.json.php` that do not include a valid CSRF token or that return HTTP 403 errors indicating missing or invalid CSRF tokens (if patched).'}, {'type': 'list_item', 'content': "Use commands like `grep 'saveSort.json.php' /var/log/apache2/access.log` or equivalent for your web server logs to find relevant requests."}, {'type': 'list_item', 'content': 'Inspect POST data for suspicious payloads in the `sections` parameter, such as code snippets or base64-encoded commands.'}, {'type': 'list_item', 'content': 'If possible, use intrusion detection systems or web application firewalls to alert on POST requests to this endpoint with unexpected input patterns.'}] [2, 1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the official patch and implementing protective configurations to prevent exploitation.

  • Apply the patch from commit 087dab8841f8bdb54be184105ef19b47c5698fcb which adds CSRF token validation and input sanitization to the vulnerable endpoint.
  • Ensure that the `saveSort.json.php` endpoint requires a valid CSRF token (`globalToken`) in POST requests; requests without a valid token should be rejected with HTTP 403.
  • Validate and sanitize all input parameters, especially the `sections` array, allowing only alphanumeric characters and underscores.
  • Replace any use of PHP `eval()` with safe dynamic property access to prevent code injection.
  • If patching is not immediately possible, consider changing the session cookie `SameSite` attribute from `null` to `Lax` to reduce CSRF risk.
  • Limit admin user exposure by educating them not to visit untrusted or suspicious web pages that could trigger CSRF attacks.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart