PT-2026-34198 · Wwbn · Avideo
Published
2026-04-14
·
Updated
2026-04-26
·
CVE-2026-40928
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WWBN AVideo versions prior to 29.1
Description
Multiple JSON endpoints under 'objects/' accept state-changing requests via
$ REQUEST and $ GET without anti-CSRF tokens, origin checks, or referer checks. This allows a malicious page to perform actions on behalf of a logged-in user, such as flipping likes or dislikes on comments via 'objects/comments like.json.php', posting comments with attacker-chosen text via 'objects/commentAddNew.json.php', or deleting assets from categories via 'objects/categoryDeleteAssets.json.php' if the user has management rights.Recommendations
Update to the version containing commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c.
Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Avideo