CVE-2026-34613
Received Received - Intake
CSRF Vulnerability in WWBN AVideo Plugin Management Enables Security Bypass

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34613
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 26.0 and prior, specifically in the endpoint objects/pluginSwitch.json.php. This endpoint allows administrators to enable or disable any installed plugin and checks for an active admin session but does not validate a CSRF token.

Additionally, the plugins database table is excluded from ORM-level Referer/Origin domain validation, which means that the usual security checks are bypassed. Because session cookies have SameSite=None, an attacker can trick an administrator into visiting a malicious page that causes critical security plugins to be disabled without the administrator's consent.

Impact Analysis

An attacker exploiting this vulnerability can disable critical security plugins such as LoginControl for two-factor authentication, subscription enforcement, or access control plugins.

This can lead to a reduction in the security posture of the affected system, potentially allowing unauthorized access or bypassing important security controls.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on reducing the risk of exploitation.

  • Restrict administrative access to trusted networks and users only.
  • Avoid having administrators visit untrusted or potentially malicious websites while logged into the AVideo admin interface.
  • Consider disabling or limiting the use of the vulnerable endpoint objects/pluginSwitch.json.php if possible.
  • Monitor administrative sessions and plugin status for unexpected changes.
Compliance Impact

The vulnerability allows an attacker to disable critical security plugins such as two-factor authentication (2FA), subscription enforcement, or access control plugins by exploiting a CSRF weakness combined with session cookie settings. This can lead to weakened security controls and unauthorized access.

While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to disable security mechanisms could potentially result in non-compliance with these regulations, which require adequate access controls and protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34613. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart