CVE-2026-34611
CSRF in WWBN AVideo Email Endpoint Enables Mass Phishing
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a CSRF attack targeting the endpoint objects/emailAllUsers.json.php on the AVideo platform. Detection involves monitoring for unexpected POST requests to this endpoint, especially those originating from cross-origin sources or unusual referrers.
You can detect potential exploitation attempts by inspecting web server logs or using network monitoring tools to identify POST requests to the vulnerable endpoint.
- Use grep or similar tools to search web server access logs for POST requests to objects/emailAllUsers.json.php, for example: grep 'POST /objects/emailAllUsers.json.php' /var/log/apache2/access.log
- Check for suspicious User-Agent headers or referrers that do not match your admin interface.
- Use network monitoring tools like tcpdump or Wireshark to capture HTTP POST traffic to the endpoint and analyze for unusual patterns.
- If you have access to the AVideo platform logs, look for admin session activity coinciding with POST requests to this endpoint.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo versions 26.0 and prior. The platform has an endpoint, objects/emailAllUsers.json.php, that allows administrators to send HTML emails to all registered users. Although the endpoint checks if the user is an admin, it does not verify a CSRF (Cross-Site Request Forgery) token.
Because AVideo sets the session cookies with SameSite=None, a cross-origin POST request from a malicious website can automatically include the admin's session cookie. This means if an attacker tricks an admin into visiting a malicious page, the attacker can send arbitrary HTML emails to every user on the platform, making the emails appear as if they come from the legitimate SMTP address of the instance.
At the time of publication, no public patches are available to fix this issue.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can send arbitrary HTML emails to all users of the platform, appearing to come from the legitimate SMTP address of the instance.
This can lead to phishing attacks, spreading malware, or delivering malicious content to users, potentially compromising user trust and platform security.
Since the attack requires tricking an administrator into visiting a malicious page, it targets the platform's administrative users but impacts all registered users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, administrators should avoid visiting untrusted or attacker-controlled web pages while logged into the AVideo platform to prevent CSRF attacks.
Since there are no publicly available patches at the time of publication, consider restricting access to the objects/emailAllUsers.json.php endpoint or implementing additional CSRF protections such as validating CSRF tokens.
Additionally, reviewing and possibly modifying the SameSite cookie attribute to a stricter setting than None may help reduce the risk of cross-origin requests including session cookies.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to send arbitrary HTML emails to all registered users on the platform by exploiting a CSRF flaw in an admin-only endpoint. This can lead to mass phishing campaigns using highly credible emails that appear to originate from the legitimate platform.
Such phishing attacks can facilitate credential harvesting and malware distribution, potentially compromising user data and privacy.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to send unauthorized emails to all users and potentially compromise user credentials or data could lead to violations of data protection and privacy regulations.
Therefore, this vulnerability poses a risk to compliance with common standards and regulations that require protection of user data and prevention of unauthorized access or disclosure.