Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Mass phishing via CSRF
Action: Immediate Patch
AI Analysis

Impact

In AVideo versions 26.0 and earlier, an endpoint that lets administrators send HTML emails to all users lacks CSRF protection. This allows an attacker to compel an admin to visit a malicious page and automatically submit a request that is authenticated with the admin’s session cookie. The result is a spoofed mass email that appears to come from the platform’s legitimate SMTP address, enabling large‑scale phishing attacks. The vulnerability does not give code execution or direct data access, but it undermines user trust and can lead to credential theft or further compromise through social engineering.

Affected Systems

The affected product is WWBN AVideo, specifically the emailAllUsers.json.php endpoint available in all releases up to and including version 26.0. Any installation of AVideo 26.0 or older that has not applied a newer fix is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium to high severity, while the EPSS score of less than 1% suggests that exploitation has not been widely observed. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is cross‑site request forgery; an attacker must lure an administrator to a malicious site that can trigger a POST request to the endpoint. Once an admin is compromised, the attacker can send arbitrary phishing emails to every user, potentially leading to credential compromise or malware delivery. Because the platform stores the admin session cookie with SameSite=None, the cookie is sent automatically by the browser, making the exploit trivial for anyone who can gain the admin’s attention.

Generated by OpenCVE AI on April 2, 2026 at 04:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether a newer AVideo release exists; upgrade to the latest version if available.
  • If an upgrade is unavailable, disable the objects/emailAllUsers.json.php endpoint or restrict it to localhost only.
  • Configure the application to require a CSRF token for POST requests to this endpoint.
  • Restrict administrative access to a secure network or VPN and monitor admin activity.
  • Disable or limit the SMTP functionality that allows mass emailing to all users.
  • Implement email filtering and user education to detect spoofed messages.

Generated by OpenCVE AI on April 2, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c4xj-x7p8-3x7q AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Vendors & Products Wwbn
Wwbn avideo
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will include the admin's session cookie automatically. An attacker who lures an admin to a malicious page can send an arbitrary HTML email to every user on the platform, appearing to originate from the instance's legitimate SMTP address. At time of publication, there are no publicly available patches.
Title AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:39:27.793Z

Reserved: 2026-03-30T17:15:52.500Z

Link: CVE-2026-34611

cve-icon Vulnrichment

Updated: 2026-04-01T13:39:18.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T21:16:31.297

Modified: 2026-04-01T20:33:55.837

Link: CVE-2026-34611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:42Z

Weaknesses