CVE-2026-33479 Overview
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $_REQUEST['sections'] array values directly into PHP's eval() function. While the endpoint is gated behind User::isAdmin(), it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page.
Critical Impact
This vulnerability enables unauthenticated remote code execution through a chained attack combining CSRF bypass with PHP code injection via eval(), allowing attackers to fully compromise AVideo servers when administrators visit malicious pages.
Affected Products
- WWBN AVideo versions up to and including 26.0
- AVideo Gallery plugin (plugin/Gallery/view/saveSort.json.php)
- All AVideo deployments with default SameSite=None cookie configuration
Discovery Timeline
- 2026-03-23 - CVE CVE-2026-33479 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33479
Vulnerability Analysis
This vulnerability represents a dangerous combination of two weaknesses: Cross-Site Request Forgery (CSRF) and Code Injection through PHP's eval() function. The saveSort.json.php endpoint in the Gallery plugin accepts user-controlled input via the $_REQUEST['sections'] array and directly interpolates these values into an eval() statement without any sanitization or validation.
The attack chain exploits the SameSite=None cookie policy configured in AVideo, which allows cross-origin requests to include session cookies. When an authenticated administrator visits an attacker-controlled webpage, the malicious page can submit a crafted POST request to the vulnerable endpoint. Despite the User::isAdmin() check, the lack of CSRF token validation means the admin's session is automatically used to authenticate the malicious request.
Once the attacker-controlled input reaches the eval() function, arbitrary PHP code execution is achieved on the server. This allows complete system compromise including data theft, malware deployment, and lateral movement within the network.
Root Cause
The root cause is twofold: First, the dangerous use of PHP's eval() function with user-controlled input in the line eval("\$object->{$value}Order = \$key;");. Second, the absence of CSRF token validation on a state-changing endpoint, compounded by the permissive SameSite=None cookie policy that enables cross-origin credential inclusion.
Attack Vector
The attack is network-based and requires user interaction—specifically, an administrator must visit an attacker-controlled webpage. The attacker hosts a malicious page containing hidden forms or JavaScript that automatically submits a crafted POST request to the saveSort.json.php endpoint. The sections parameter contains malicious PHP code that will be executed via eval(). Because no CSRF token is required and the session cookie is sent automatically due to SameSite=None, the admin's authenticated session processes the malicious request.
// Vulnerable code from saveSort.json.php (before patch)
// User input from $_REQUEST['sections'] is passed directly to eval()
if(!empty($_REQUEST['sections'])){
$object = $gallery->getDataObject();
foreach ($_REQUEST['sections'] as $key => $value) {
$obj->sectionsSaved[] = array($key=>$value);
eval("\$object->{$value}Order = \$key;");
}
$obj->error = !$gallery->setDataObject($object);
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-33479
Indicators of Compromise
- Unusual POST requests to /plugin/Gallery/view/saveSort.json.php from external referrers
- Web server logs showing sections parameters containing PHP code patterns such as backticks, system(), exec(), or passthru()
- Unexpected process spawning from the PHP-FPM or Apache worker processes
- New or modified files in the AVideo installation directory with suspicious content
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing PHP code injection patterns in POST parameters
- Monitor for cross-origin requests to admin-only endpoints, especially from untrusted referrers
- Deploy endpoint detection to identify unusual command execution originating from web server processes
- Review access logs for patterns indicating exploitation attempts against the saveSort.json.php endpoint
Monitoring Recommendations
- Enable verbose logging for the AVideo Gallery plugin and monitor for failed or suspicious requests
- Set up alerts for any admin-level API calls originating from external referrers
- Monitor process creation events on web servers for child processes spawned by PHP workers
- Implement file integrity monitoring on the AVideo installation directory
How to Mitigate CVE-2026-33479
Immediate Actions Required
- Update AVideo to a version containing commit 087dab8841f8bdb54be184105ef19b47c5698fcb or later
- Disable the Gallery plugin if it is not required until the patch can be applied
- Implement WAF rules to block requests to saveSort.json.php containing suspicious patterns
- Review web server logs for evidence of prior exploitation attempts
Patch Information
WWBN has released a security patch in commit 087dab8841f8bdb54be184105ef19b47c5698fcb that addresses this vulnerability by implementing CSRF token validation. The patch adds a globalToken parameter requirement to the saveSort.json.php endpoint and modifies the frontend JavaScript in sections.js to include this token with requests.
For more information, see the GitHub Security Advisory and the patch commit.
Workarounds
- Restrict access to the AVideo admin panel to trusted IP addresses only using firewall rules or web server configuration
- Implement a reverse proxy with WAF capabilities to inspect and filter malicious requests
- Configure session cookies with SameSite=Strict or SameSite=Lax to prevent cross-origin credential inclusion
- Educate administrators about the risks of visiting untrusted websites while logged into the AVideo admin panel
# Apache configuration to restrict access to Gallery plugin
<Location "/plugin/Gallery/view/saveSort.json.php">
Require ip 10.0.0.0/8
Require ip 192.168.0.0/16
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
