CVE-2026-40926
Received Received - Intake
CSRF Vulnerability in WWBN AVideo Admin JSON Endpoints

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints β€” `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` β€” enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40926
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects WWBN AVideo versions 29.0 and prior. It involves three admin-only JSON endpoints that perform state-changing actions on the database but do not enforce CSRF token validation. Specifically, these endpoints check only the user's role but omit important security checks like isGlobalTokenValid() or forbidIfIsUntrustedRequest(). As a result, an attacker can trick a logged-in admin into visiting a malicious page, which then allows the attacker to create, update, or delete categories and execute plugin update scripts within the admin's session.


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized changes in the system by an attacker leveraging an admin's session. This includes creating, updating, or deleting categories and forcing execution of plugin update scripts. Such actions can compromise the integrity of the platform, potentially leading to unauthorized modifications, disruption of service, or execution of malicious code within the context of the admin user.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.

The vulnerability exists because certain admin-only JSON endpoints do not enforce CSRF token validation, allowing attackers to perform state-changing actions if an admin is tricked into visiting a malicious page.

Applying the fix ensures that these endpoints properly validate CSRF tokens, preventing unauthorized actions.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to perform unauthorized state-changing actions in the admin's session by exploiting missing CSRF token checks on certain admin-only JSON endpoints. This could lead to unauthorized modification or deletion of categories and forced execution of plugin update scripts.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the ability for an attacker to manipulate administrative functions without proper authorization could potentially lead to violations of data integrity and security requirements mandated by these regulations.

Therefore, this vulnerability may negatively impact compliance with common security standards and regulations that require strict access controls and protection against unauthorized actions.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves missing CSRF token and origin validation on three admin-only JSON endpoints in the AVideo platform: `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php`. Detection can focus on monitoring or testing these endpoints for unauthorized state-changing requests without proper CSRF tokens.

To detect exploitation attempts or verify if your system is vulnerable, you can attempt to send POST requests to these endpoints without CSRF tokens and observe if the requests succeed or fail.

Example commands using curl to test these endpoints (replace URL and authentication cookies as appropriate):

  • Test category creation or overwrite: curl -X POST -b 'admin_session_cookie' -d 'id=0&name=TestCategory' https://your-avideo-site/objects/categoryAddNew.json.php
  • Test category deletion: curl -X POST -b 'admin_session_cookie' -d 'id=123' https://your-avideo-site/objects/categoryDelete.json.php
  • Test plugin update script execution: curl -X POST -b 'admin_session_cookie' -d 'name=pluginName' https://your-avideo-site/objects/pluginRunUpdateScript.json.php

If these requests succeed without requiring a valid CSRF token or origin validation, your system is vulnerable.

Additionally, monitoring web server logs for unexpected POST requests to these endpoints from admin sessions or unusual plugin update executions can help detect exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart