CVE-2026-35181

MEDIUM

WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

References (1)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95

Scores

CVSS v3 4.3

EPSS 0.0001

EPSS Percentile 0.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (3)

wwbn/avideo < 26.0

wwbn/avideo 0Packagist

WWBN/AVideo <= 26.0

Published Apr 06, 2026

Tracked Since Apr 07, 2026