CVE-2026-40925
Received Received - Intake
Cross-Site Request Forgery in WWBN AVideo Admin Config Update

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40925
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 29.0 and prior, specifically in the endpoint that updates global site settings via the file objects/configurationUpdate.json.php (also accessible through /updateConfig). The endpoint accepts numerous global site settings from POST requests but only protects itself by checking if the user is an administrator using User::isAdmin().

However, it lacks additional security measures such as forbidding untrusted requests, verifying a global token, or validating the Origin or Referer headers. Because the platform sets session.cookie_samesite=None to allow cross-origin iframe embedding, a logged-in administrator who visits a malicious website can have their browser automatically submit a cross-origin POST request. This request can overwrite critical site settings like the encoder URL, SMTP credentials, site HTML head content, logo, favicon, contact email, and more in a single action.

Impact Analysis

The vulnerability allows an attacker to perform unauthorized changes to the global configuration of the AVideo platform by exploiting a logged-in administrator's session. This can lead to:

  • Modification of the encoder URL, potentially redirecting video processing to malicious or compromised servers.
  • Alteration of SMTP credentials, which could enable attackers to send emails from the site, possibly for phishing or spam.
  • Changing site branding elements such as the logo and favicon, which can be used for defacement or social engineering.
  • Updating the site’s <head> HTML content, which could be used to inject malicious scripts or tracking.
  • Changing the contact email, potentially intercepting communications.

Overall, this can compromise the integrity, confidentiality, and availability of the platform, leading to potential data breaches, loss of trust, and operational disruption.

Mitigation Strategies

To mitigate this vulnerability, you should update WWBN AVideo to a version that includes the fix, specifically after commit f9492f5e6123dff0292d5bb3164fde7665dc36b4.

Additionally, ensure that the endpoint /updateConfig (objects/configurationUpdate.json.php) properly validates requests by calling forbidIfIsUntrustedRequest(), verifying a globalToken, and validating the Origin/Referer headers to prevent unauthorized cross-origin POST requests.

As a temporary measure, restrict access to the updateConfig endpoint to trusted administrators only and consider adjusting session cookie settings to prevent cross-origin requests if feasible.

Compliance Impact

This vulnerability allows an attacker to perform unauthorized changes to critical site settings such as encoder URL, SMTP credentials, site HTML, logo, favicon, and contact email by exploiting insufficient request validation and cross-origin POST requests. Such unauthorized modifications can lead to data integrity and confidentiality issues.

Because the vulnerability enables an attacker to alter SMTP credentials and other site configurations, it may result in unauthorized access to sensitive data or disruption of services, potentially violating data protection requirements under regulations like GDPR and HIPAA.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart