CVE-2026-43877

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.0

Description A Cross-Site Request Forgery (CSRF) issue exists in the legacy profile-photo endpoint "objects/userSavePhoto.php". The endpoint accepts a base64 POST parameter imgBase64 and writes the decoded bytes to the server without performing CSRF token validation, Origin/Referer checks, or MIME validation of the decoded bytes. This occurs because the endpoint does not end in ".json.php", excluding it from the global autoCSRFGuard mechanism. Additionally, the default cookie policy is set to SameSite=None; Secure on HTTPS, allowing browsers to attach session cookies to cross-site POST requests.

An attacker can lure a logged-in user to a malicious page to overwrite the user's profile photo with arbitrary bytes. This action also triggers a site-wide clearCache(true) function on every forged request, which can lead to global cache invalidation and potential disk pressure due to the lack of size caps on the uploaded data.

Recommendations Update to a version that includes commit 9c38468041505e637101c5943c5370c68f48e3ac. As a temporary workaround, restrict access to the "objects/userSavePhoto.php" endpoint or the imgBase64 parameter until the update is applied.