CVE-2026-34613

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The AVideo platform, in versions 26.0 and prior, has an issue in the objects/pluginSwitch.json.php endpoint. This endpoint allows administrators to enable or disable plugins but lacks CSRF token validation. The plugins database table is excluded from security checks, bypassing Referer/Origin domain validation during saves. With SameSite=None set on session cookies, an attacker can disable security plugins like LoginControl for two-factor authentication, subscription enforcement, or access control by tricking an administrator into visiting a malicious page.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.