CVE-2026-40929
Received Received - Intake
CSRF Vulnerability in WWBN AVideo Comment Deletion Endpoint

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40929
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo versions 29.0 and prior in the endpoint objects/commentDelete.json.php, which deletes comments but lacks Cross-Site Request Forgery (CSRF) protection.

The endpoint does not perform CSRF validation, does not call forbidIfIsUntrustedRequest(), does not verify a CSRF or global token, and does not check the Origin or Referer headers.

Because the platform sets session.cookie_samesite=None to support cross-origin embed players, a cross-site request from an attacker-controlled page automatically includes the victim's PHPSESSID cookie.

As a result, any authenticated user with permission to delete comments (such as site moderators, video owners, or comment authors) can be tricked into deleting multiple comments simply by visiting a malicious page.

A fix for this issue is included in commit 184f36b1896f3364f864f17c1acca3dd8df3af27.

Impact Analysis

This vulnerability can lead to unauthorized deletion of comments by tricking authorized users into performing actions they did not intend.

Specifically, attackers can cause authenticated users with comment deletion privileges to delete comments en masse without their consent.

This can result in loss of user-generated content, disruption of discussions, and potential damage to the community or platform reputation.

Mitigation Strategies

To mitigate this vulnerability, update WWBN AVideo to a version that includes the fix from commit 184f36b1896f3364f864f17c1acca3dd8df3af27.

The vulnerability exists because the endpoint objects/commentDelete.json.php does not perform CSRF validation, allowing attackers to trick authenticated users into deleting comments.

Until the update is applied, consider restricting access to the comment deletion endpoint or implementing additional CSRF protections manually.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40929. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart