CVE-2026-40926

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description Cross-Site Request Forgery occurs in three admin-only JSON endpoints: 'objects/categoryAddNew.json.php', 'objects/categoryDelete.json.php', and 'objects/pluginRunUpdateScript.json.php'. These endpoints perform state-changing database actions by enforcing only role checks via Category::canCreateCategory() and User::isAdmin(), while failing to call isGlobalTokenValid() or forbidIfIsUntrustedRequest(). This allows an attacker to lure a logged-in administrator to a malicious page to create, update, or delete categories and force the execution of any installed plugin's updateScript() method within the administrator's session.

Recommendations Update to a version containing commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2.