CVE-2026-40928
Received Received - Intake
CSRF in WWBN AVideo JSON Endpoints Enables Unauthorized Actions

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-05-06
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious HTTP GET requests targeting the affected JSON endpoints under the objects/ directory in AVideo versions up to 29.0. Specifically, look for cross-origin requests that perform state-changing actions without proper CSRF tokens or origin checks.

You can use network traffic inspection tools or web server logs to identify requests to the following endpoints with query parameters that may indicate exploitation attempts:

  • objects/comments_like.json.php (e.g., requests with comments_id parameter)
  • objects/commentAddNew.json.php (e.g., requests with parameters for posting comments)
  • objects/categoryDeleteAssets.json.php (e.g., requests attempting asset deletion)

Example commands to detect such requests in web server logs (assuming Apache logs in access.log):

  • grep 'GET /objects/comments_like.json.php' /var/log/apache2/access.log
  • grep 'GET /objects/commentAddNew.json.php' /var/log/apache2/access.log
  • grep 'GET /objects/categoryDeleteAssets.json.php' /var/log/apache2/access.log

Additionally, monitoring for cross-origin requests with suspicious Referer or Origin headers or absence thereof can help detect exploitation attempts.


Can you explain this vulnerability to me?

This vulnerability affects WWBN AVideo, an open source video platform, in versions 29.0 and prior. Multiple JSON endpoints under the "objects/" path accept state-changing requests via $_REQUEST or $_GET without any anti-CSRF token, origin check, or referer check. This means that a malicious webpage visited by a logged-in user can perform actions on behalf of that user without their consent.

  • The attacker can flip the victim's like or dislike on any comment.
  • The attacker can post a comment authored by the victim with attacker-chosen text on any video.
  • If the victim has category management rights, the attacker can delete assets from any category.

Exploitation only requires the victim to load an attacker-controlled HTML resource, such as an image tag or form submission, making it easy to exploit.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to perform unauthorized actions on your behalf if you are logged into the affected AVideo platform.

  • Attackers can manipulate your interactions, such as changing likes or dislikes on comments.
  • Attackers can post comments using your account, potentially damaging your reputation or spreading misinformation.
  • If you have category management rights, attackers can delete assets, leading to data loss.

Overall, this can lead to loss of control over your account actions and potential damage to content integrity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix, specifically after commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c.

Since the vulnerability arises from missing anti-CSRF tokens and origin/referer checks on state-changing JSON endpoints, ensure that your deployment includes proper CSRF protections and origin validation.

Additionally, educate users to avoid visiting untrusted or attacker-controlled web pages while logged into the AVideo platform to reduce risk of exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows attackers to perform unauthorized state-changing actions on behalf of authenticated users without their consent, such as altering likes/dislikes, posting comments, or deleting assets. This lack of proper authorization and anti-CSRF protections could lead to unauthorized data manipulation and potential data integrity issues.

Such unauthorized actions may impact compliance with standards like GDPR and HIPAA, which require ensuring data integrity, user consent, and protection against unauthorized access or modification of personal data. However, the provided information does not explicitly detail the direct compliance impact.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart