CVE-2026-34611

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo platform, in versions 26.0 and prior, has an issue in the objects/emailAllUsers.json.php endpoint. This endpoint allows administrators to send HTML emails to all registered users. The endpoint verifies admin session status but does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin POST request from an attacker-controlled page will automatically include the admin's session cookie. An attacker can trick an administrator into visiting a malicious page and then send an arbitrary HTML email to every user on the platform, appearing to come from the instance's legitimate SMTP address.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.