CVE-2026-43877
Received Received - Intake
Path Traversal in WWBN AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43877
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, specifically in versions up to and including 29.0. The issue is in the legacy profile-photo endpoint objects/userSavePhoto.php, which accepts a base64 POST parameter and writes the decoded bytes to a user's profile photo file without proper security controls.

The endpoint only checks if the user is logged in (User::isLogged()) but lacks CSRF protection, Origin/Referer checks, and MIME validation of the uploaded data. Additionally, it is excluded from the project's global CSRF guard because it does not have the expected .json.php suffix.

Because the platform's default cookie policy is SameSite=None; Secure on HTTPS, an attacker can trick a logged-in user into visiting a malicious page that sends a forged request to overwrite that user's profile photo with arbitrary data. This request also triggers a site-wide cache clear.

Impact Analysis

This vulnerability allows an attacker to overwrite a logged-in user's profile photo with arbitrary data by exploiting the lack of CSRF protection and validation.

The impact includes the potential for malicious content to be uploaded as a profile photo, which could be used for defacement or to deliver harmful payloads.

Additionally, each forged request triggers a site-wide cache clear, which could degrade performance or availability temporarily.

The CVSS score of 5.4 indicates a medium severity with low attack complexity but requiring user interaction.

Mitigation Strategies

To mitigate this vulnerability, you should update WWBN AVideo to a version that includes the fix from commit 9c38468041505e637101c5943c5370c68f48e3ac.

Additionally, consider implementing proper CSRF protections on the legacy profile-photo endpoint (objects/userSavePhoto.php), such as adding CSRF tokens, enforcing Origin/Referer checks, and validating MIME types of uploaded content.

Restrict access controls beyond just User::isLogged() to prevent unauthorized profile photo overwrites.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart