Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized state changes via CSRF
Action: Immediate Patch
AI Analysis

Impact

WWBN AVideo in versions 29.0 and earlier exposes several JSON endpoints that accept state‑changing requests using unfiltered GET or REQUEST parameters. These endpoints allow a logged‑in user’s session to perform actions such as liking or disliking comments, posting new comments on behalf of the user, and deleting assets from categories where the user has management rights. Because no anti‑CSRF token, origin, or referer validation is performed, a malicious site can force the victim’s browser to send these requests silently. This is a Cross‑Site Request Forgery (CWE-352) flaw, so the likely attack vector is a CSRF exploit when a victim visits an attacker‑controlled page that includes an image or form targeting one of the vulnerable URLs, causing the victim’s credentials to be used without consent.

Affected Systems

The vulnerability affects the open‑source video platform WWBN AVideo up to and including version 29.0. The affected endpoints are located under the objects/ directory and include objects/comments_like.json.php, objects/commentAddNew.json.php, and objects/categoryDeleteAssets.json.php. No other vendors or products were listed.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation at this time. Successful exploitation requires the victim to be authenticated within the application and simply load an attacker‑controlled page. Once triggered, the attacker can manipulate the victim’s likes/dislikes, inject comments, or delete category assets, compromising data integrity and potentially causing unwanted user interactions or resource removal.

Generated by OpenCVE AI on April 22, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WWBN AVideo to the latest release that incorporates commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c or higher.
  • If an update is not immediately possible, use an application firewall or web‑server rule to block or require a valid CSRF token for requests to the affected JSON endpoints, rejecting any traffic that lacks proper referer or origin headers.
  • As a temporary safeguard, revoke category‑management privileges from users that are not trusted administrators and disable user‑initiated comment posting or like features until the patch is applied.

Generated by OpenCVE AI on April 22, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src="…">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix.
Title AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Creation, Vote Manipulation, and Category Asset Deletion
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:15:43.678Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40928

cve-icon Vulnrichment

Updated: 2026-04-22T13:15:36.019Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:20.300

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses