CVE-2026-35180

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 26.0 and prior

Description WWBN AVideo, an open source video platform, has an issue in versions 26.0 and prior where the site customization endpoint at admin/customize settings nativeUpdate.json.php does not validate CSRF tokens. This allows a cross-origin POST request to overwrite the platform's logo with attacker-controlled content, as uploaded logo files are written to disk before the ORM's domain-based security check is performed. The SameSite=None cookie policy exacerbates this issue.

Recommendations Update to a version later than 26.0.