CVE-2026-43880
Received Received - Intake
Email Spoofing via SMTP in AVideo

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain β€” ideal for targeted phishing and brand impersonation. Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-43880
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-940 The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in WWBN AVideo, an open source video platform, in versions up to and including 29.0. The issue is in the objects/sendEmail.json.php endpoint, which behaves differently depending on whether the parameter contactForm=1 is submitted. When this parameter is omitted, the endpoint sets the recipient email ($sendTo) to an attacker-supplied address. For unauthenticated users, the email's From and Reply-To fields use the site's own contact email.

This endpoint is explicitly allow-listed as a "public write action" and requires no authentication or CSRF token. As a result, an unauthenticated attacker who can solve a captcha can abuse the site's SMTP infrastructure to send emails composed by the attacker to arbitrary recipients. These emails appear to come from the legitimate site address and pass SPF, DKIM, and DMARC checks, making them ideal for phishing and brand impersonation.

Impact Analysis

This vulnerability allows an unauthenticated attacker to send emails from the site's legitimate email address to arbitrary recipients. This can be exploited to conduct targeted phishing attacks or brand impersonation, potentially damaging the reputation of the affected site.

Because the emails pass SPF, DKIM, and DMARC checks, recipients are more likely to trust these messages, increasing the risk of successful social engineering attacks.

Detection Guidance

This vulnerability involves the endpoint objects/sendEmail.json.php in WWBN AVideo versions up to 29.0, which allows unauthenticated attackers to send emails via the site's SMTP infrastructure.

To detect exploitation attempts on your network or system, monitor HTTP requests targeting the objects/sendEmail.json.php endpoint, especially those that omit the contactForm=1 parameter and include attacker-supplied email addresses.

You can use web server logs or network monitoring tools to identify suspicious POST requests to this endpoint.

  • Use grep or similar tools on your web server logs to find requests to objects/sendEmail.json.php without the contactForm=1 parameter.
  • Example command: grep 'POST /objects/sendEmail.json.php' /var/log/apache2/access.log | grep -v 'contactForm=1'
  • Monitor outgoing SMTP traffic for unusual email sending patterns originating from the web server.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint and preventing unauthenticated use.

  • Apply the fix from commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 if available.
  • Restrict access to objects/sendEmail.json.php to authenticated users only.
  • Implement additional validation on the sendTo parameter to prevent attacker-supplied email addresses.
  • Monitor and limit SMTP usage to prevent abuse.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43880. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart