CVE-2026-43880
Email Spoofing via SMTP in AVideo
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-940 | The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the objects/sendEmail.json.php endpoint, which behaves differently depending on whether the parameter contactForm=1 is submitted. When this parameter is omitted, the endpoint sets the recipient email ($sendTo) to an attacker-supplied address. For unauthenticated users, the email's From and Reply-To fields use the site's own contact email.
This endpoint is explicitly allow-listed as a "public write action" and requires no authentication or CSRF token. As a result, an unauthenticated attacker who can solve a captcha can abuse the site's SMTP infrastructure to send emails composed by the attacker to arbitrary recipients. These emails appear to come from the legitimate site address and pass SPF, DKIM, and DMARC checks, making them ideal for phishing and brand impersonation.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to send emails from the site's legitimate email address to arbitrary recipients. This can be exploited to conduct targeted phishing attacks or brand impersonation, potentially damaging the reputation of the affected site.
Because the emails pass SPF, DKIM, and DMARC checks, recipients are more likely to trust these messages, increasing the risk of successful social engineering attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the endpoint objects/sendEmail.json.php in WWBN AVideo versions up to 29.0, which allows unauthenticated attackers to send emails via the site's SMTP infrastructure.
To detect exploitation attempts on your network or system, monitor HTTP requests targeting the objects/sendEmail.json.php endpoint, especially those that omit the contactForm=1 parameter and include attacker-supplied email addresses.
You can use web server logs or network monitoring tools to identify suspicious POST requests to this endpoint.
- Use grep or similar tools on your web server logs to find requests to objects/sendEmail.json.php without the contactForm=1 parameter.
- Example command: grep 'POST /objects/sendEmail.json.php' /var/log/apache2/access.log | grep -v 'contactForm=1'
- Monitor outgoing SMTP traffic for unusual email sending patterns originating from the web server.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint and preventing unauthenticated use.
- Apply the fix from commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 if available.
- Restrict access to objects/sendEmail.json.php to authenticated users only.
- Implement additional validation on the sendTo parameter to prevent attacker-supplied email addresses.
- Monitor and limit SMTP usage to prevent abuse.