CVE-2026-40929

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1

Description A state-mutating JSON endpoint 'objects/commentDelete.json.php' fails to perform Cross-Site Request Forgery (CSRF) validation. The endpoint does not utilize the forbidIfIsUntrustedRequest() function, verify CSRF or global tokens, or check the Origin and Referer headers. Due to the software setting session.cookie samesite=None to support cross-origin embed players, requests from attacker-controlled pages automatically include the victim's PHPSESSID. This allows an attacker to trick authenticated users with deletion privileges, such as site moderators, video owners, and comment authors, into deleting comments en masse by visiting a malicious page.

Recommendations Update to a version that includes commit 184f36b1896f3364f864f17c1acca3dd8df3af27.