Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.
Published: 2026-03-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

In versions of the WWBN AVideo video platform up to and including 26.0, the Gallery plugin’s saveSort.json.php endpoint incorporates user‑supplied values from the sections parameter directly into a PHP eval() call without sanitization. Although the endpoint is accessible only to administrators, it lacks CSRF token validation and the platform’s SameSite=None session cookie configuration permits cross‑site request forgery. As a result, an attacker can trigger arbitrary PHP code execution on the server simply by getting an administrator to visit a malicious page.

Affected Systems

The vulnerability affects the open‑source AVideo platform distributed by WWBN. All releases through version 26.0 are impacted; newer releases are not listed as affected.

Risk and Exploitability

The CVSS v3.1 score of 8.8 indicates high severity, and the EPSS score of under 1% suggests a low probability of exploitation in the wild, yet the presence of a fully remote code execution vector means an exploit would have catastrophic impact. Because the flaw can be triggered via CSRF against an admin session, any authenticated administrator who visits an attacker‑controlled page is at risk. The vulnerability is not currently listed in the CISA KEV catalog, but the lack of mitigation in the affected code base makes it a high‑priority target for attackers.

Generated by OpenCVE AI on March 24, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to the patched release that includes commit 087dab8841f8bdb54be184105ef19b47c5698fcb, or any version later than 26.0 that removes eval() usage.

Generated by OpenCVE AI on March 24, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xggw-g9pm-9qhh AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
History

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.
Title AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T14:59:02.375Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33479

cve-icon Vulnrichment

Updated: 2026-03-23T14:58:50.744Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T15:16:34.220

Modified: 2026-03-24T18:48:38.257

Link: CVE-2026-33479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:28:04Z

Weaknesses