Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
Published: 2026-04-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized mass comment deletion
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the objects/commentDelete.json.php endpoint and allows an authenticated user with comment deletion privilege to have comments removed by an attacker who tricks them into visiting a malicious page. The endpoint performs no CSRF validation, ignoring tokens, Origin, and Referer. Because the platform sets session.cookie_samesite=None, any cross‑site request silently supplies the victim’s session cookie. An attacker can therefore delete comments en masse, undermining content integrity and potentially author reputation. The weakness aligns with CWE‑352 "Cross‑Site Request Forgery".

Affected Systems

Affects the open‑source video platform WWBN AVideo versions 29.0 and earlier. The fix is included in commit 184f36b1896f3364f864f17c1acca3dd8df3af27, so any deployment using a pre‑29.0 release is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating medium severity. EPSS is not available, so exploit likelihood cannot be quantified precisely, but the absence of CSRF checks and the platform’s cookie settings make the attack straightforward. The vulnerability is not listed in CISA KEV, so it has not yet been observed in the wild. Attackers would need only a malicious web page and an authenticated user with delete rights; thus the attack vector is cross‑site request forgery, which is commonly feasible in a modern browser environment.

Generated by OpenCVE AI on April 22, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AVideo to the latest release that includes commit 184f36b1896f3364f864f17c1acca3dd8df3af27, which adds CSRF validation to the commentDelete endpoint.
  • Verify that session.cookie_samesite is set to "Lax" or "Strict" in php.ini or application configuration; disabling "None" reduces CSRF risk.
  • Review and enforce access controls on comment deletion endpoints; restrict calls to trusted origins and require a CSRF token for any state‑changing operation.

Generated by OpenCVE AI on April 22, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call `forbidIfIsUntrustedRequest()`, does not verify a CSRF/global token, and does not check `Origin`/`Referer`. Because AVideo intentionally sets `session.cookie_samesite=None` (to support cross-origin embed players), a cross-site request from any attacker-controlled page automatically carries the victim's `PHPSESSID`. Any authenticated victim who has authority to delete one or more comments (site moderators, video owners, and comment authors) can be tricked into deleting comments en masse simply by visiting an attacker page. Commit 184f36b1896f3364f864f17c1acca3dd8df3af27 contains a fix.
Title WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T17:58:51.253Z

Reserved: 2026-04-15T20:40:15.517Z

Link: CVE-2026-40929

cve-icon Vulnrichment

Updated: 2026-04-22T17:58:47.886Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:20.433

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-40929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses