CVE-2026-35180

MEDIUM

WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 4.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (2)

wwbn/avideo < 26.0

WWBN/AVideo <= 26.0

Published Apr 06, 2026

Tracked Since Apr 07, 2026