CVE-2026-43880

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0

Description An issue exists in the 'objects/sendEmail.json.php' endpoint where the absence of the contactForm parameter allows unauthenticated users to send emails to arbitrary recipients. When this parameter is omitted, the system sets the $sendTo variable to an attacker-supplied email and uses the site's own contact email as the sender (From/Reply-To). Because the endpoint is listed as a public write action in 'objects/functionsSecurity.php', it does not require authentication or a CSRF token. An attacker who solves a captcha can force the site's SMTP infrastructure to send composed emails that appear to originate from the site's legitimate address, ensuring they pass SPF, DKIM, and DMARC checks. This can be used for targeted phishing and brand impersonation.

Recommendations Update to a version containing commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2. As a temporary workaround, restrict access to the 'objects/sendEmail.json.php' endpoint or ensure that the contactForm parameter is mandatory for all requests.