Description
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation. Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 contains an updated fix.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The AVideo application (versions up to 29.0) contains a public write endpoint that allows callers to specify an arbitrary recipient address. When the optional "contactForm" parameter is omitted, the script sends email via the site’s SMTP server with the configurable contact email as the From:/Reply‑To address. Because the endpoint is fully public, an attacker can craft arbitrary messages and redirect them to targeted recipients. The messages are signed with the site’s domain (SPF/DKIM/DMARC), making them appear legitimate and facilitating phishing or brand impersonation attacks.

Affected Systems

The vulnerability impacts the open‑source video platform WWBN AVideo, specifically installations on or before version 29.0. Newer releases, as identified by commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2, contain a patch that removes or protects the vulnerable endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. Exploitation requires no authentication; the attacker still has to solve a captcha, but the endpoint does not require a CSRF token or further privileges. EPSS data is not available, and the vulnerability is not yet listed in CISA’s KEV catalog. An attacker with network access to the web server can directly invoke the endpoint and direct the site’s SMTP infrastructure to send attacker‑crafted emails to arbitrary recipients using the site’s authentic address.

Generated by OpenCVE AI on May 11, 2026 at 23:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the patched version of WWBN AVideo (commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 or later) to eliminate the vulnerable endpoint.
  • If an update is delayed, edit objects/functionsSecurity.php to remove or disable the public write entry for sendEmail.json.php so the endpoint can only be accessed by authenticated users.
  • Block unauthenticated POST requests to /objects/sendEmail.json.php using a firewall or web server rule until the vulnerability is resolved.

Generated by OpenCVE AI on May 11, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hgj-7gm9-cff5 AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address
History

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation. Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 contains an updated fix.
Title WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address
Weaknesses CWE-940
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:37:15.967Z

Reserved: 2026-05-04T15:17:09.329Z

Link: CVE-2026-43880

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T22:22:12.530

Modified: 2026-05-11T22:22:12.530

Link: CVE-2026-43880

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses