CVE-2026-35181

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior

Description The player skin configuration endpoint at /admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing a layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform. The vulnerability lies in directly setting the player skin from POST data at line 17 of admin/playerUpdate.json.php using $pluginDO->skin = $ POST['skin']; without any CSRF validation. The ignoreTableSecurityCheck() function bypasses the ORM-level protection for plugin configuration. AVideo's session cookies are configured with SameSite=None, allowing the admin's authenticated session cookie to be included in cross-origin POST requests.

Recommendations Add CSRF token validation at /admin/playerUpdate.json.php, before processing POST data:

// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
  die('{"error":"Invalid CSRF token"}');
}