Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Published: 2026-04-06
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: UI Modification
Action: Patch
AI Analysis

Impact

The vulnerability in the AVideo platform allows an attacker to change the player skin configuration via a CSRF attack. The admin/playerUpdate.json.php endpoint lacks CSRF validation and the ORM security check is suppressed for the plugins table, while cookies use SameSite=None. This enables a malicious cross-origin POST to alter the appearance of the video player for all platform users.

Affected Systems

Systems affected are all installations of WWBN AVideo version 26.0 or earlier. Administrators can unintentionally expose the platform to defacement through the compromised endpoint.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate. The absence of an EPSS score and lack of presence in KEV suggest limited evidence of active exploitation, though the attack path is straightforward and requires only a victim admin on the same origin. Operators should prefer a patch over a work‑around.

Generated by OpenCVE AI on April 7, 2026 at 01:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to AVideo 27.0 or later.
  • If a quick update is not possible, disable or protect the admin/playerUpdate.json.php endpoint by requiring a valid CSRF token.
  • Configure session cookies to use SameSite=Lax or SameSite=Strict to prevent cross-origin requests.
  • Monitor for unauthorized skin changes in the platform.

Generated by OpenCVE AI on April 7, 2026 at 01:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4q27-4rrq-fx95 AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Title WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T15:10:15.182Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35181

cve-icon Vulnrichment

Updated: 2026-04-07T15:05:57.566Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-06T20:16:26.393

Modified: 2026-04-07T16:16:25.383

Link: CVE-2026-35181

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T09:37:33Z

Weaknesses