CVE-2026-33479

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.0

Description The Gallery plugin in AVideo contains a flaw where the saveSort.json.php endpoint allows unsanitized user input from the $ REQUEST['sections'] array to be directly passed into PHP’s eval() function. This endpoint is protected by User::isAdmin() but lacks CSRF token validation. AVideo’s SameSite=None session cookie configuration enables exploitation via cross-site request forgery, allowing an attacker to achieve unauthenticated remote code execution by tricking an administrator into visiting a malicious page. The vulnerable code resides in plugin/Gallery/view/saveSort.json.php:20-25. The $ REQUEST['sections'] variable is interpolated into a string passed to eval() without any sanitization. The lack of CSRF protection, combined with the SameSite=None session cookie setting, allows an attacker to submit a malicious form on behalf of an authenticated administrator. An exploit involves crafting an HTML page with an auto-submitting form targeting the vulnerable endpoint, and then luring an administrator to visit the page. This results in the execution of arbitrary PHP code on the server.

Recommendations Versions prior to 26.0: Replace the eval() function in plugin/Gallery/view/saveSort.json.php with an allowlist check to validate the input from the $ REQUEST['sections'] array against a predefined list of allowed section names. Versions prior to 26.0: Add CSRF protection to all state-changing endpoints. Versions prior to 26.0: As an alternative to adding CSRF protection, set session.cookie samesite to Lax in objects/include config.php instead of None.