CVE-2026-35181 Overview
CVE-2026-35181 is a Cross-Site Request Forgery (CSRF) vulnerability affecting WWBN AVideo, an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Critical Impact
An attacker can exploit this CSRF vulnerability to modify the video player appearance across the entire AVideo platform without authentication, potentially enabling defacement or malicious content injection through cross-origin requests.
Affected Products
- WWBN AVideo versions 26.0 and prior
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35181 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35181
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The core issue lies in the admin/playerUpdate.json.php endpoint's failure to implement CSRF token validation, a critical security control for state-changing operations. The vulnerability is compounded by an intentional security exclusion: the ignoreTableSecurityCheck() function explicitly removes the plugins table from the ORM's domain-based security verification.
The attack is network-accessible and requires user interaction, specifically that an authenticated administrator visits a malicious page while their session is active. The configuration of SameSite=None cookies enables cross-origin requests to include authentication credentials, allowing the attack to succeed from any malicious website.
Root Cause
The root cause is the absence of CSRF token validation on the player skin configuration endpoint combined with the explicit exclusion of the plugins table from security checks via ignoreTableSecurityCheck(). This design flaw, coupled with permissive cookie settings (SameSite=None), creates an exploitable attack surface that allows unauthorized cross-origin modification of platform-wide video player settings.
Attack Vector
The attack vector is network-based, requiring an authenticated administrator to visit a malicious web page. The attacker crafts a page containing a hidden form or JavaScript that automatically submits a POST request to the vulnerable admin/playerUpdate.json.php endpoint. Because the endpoint lacks CSRF protection and cookies are configured with SameSite=None, the victim's browser includes their authentication credentials with the cross-origin request, allowing the attacker to modify video player configurations on behalf of the administrator.
The attack exploits the trust relationship between the browser and the AVideo platform, leveraging the administrator's active session to make unauthorized changes. For technical details and proof-of-concept information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35181
Indicators of Compromise
- Unexpected changes to video player skin or appearance settings across the platform
- HTTP POST requests to admin/playerUpdate.json.php originating from external referrers
- Anomalous cross-origin requests to administrative endpoints in web server logs
- Session logs showing administrative actions occurring during unusual browsing patterns
Detection Strategies
- Monitor HTTP access logs for requests to admin/playerUpdate.json.php with external or missing Referer headers
- Implement web application firewall (WAF) rules to detect cross-origin POST requests to administrative endpoints
- Configure intrusion detection systems to alert on suspicious patterns of administrative configuration changes
- Enable detailed audit logging for all player configuration modifications
Monitoring Recommendations
- Review web server logs regularly for cross-origin request patterns targeting administrative endpoints
- Set up alerts for bulk or rapid changes to video player configurations
- Monitor for sudden changes in referrer patterns for administrative API calls
- Implement real-time alerting for configuration changes outside of normal administrative workflows
How to Mitigate CVE-2026-35181
Immediate Actions Required
- Upgrade WWBN AVideo to a version newer than 26.0 once a patch is available
- Implement a Web Application Firewall (WAF) rule to block suspicious cross-origin POST requests to administrative endpoints
- Review and restrict cookie settings, changing SameSite attribute from None to Strict or Lax where possible
- Educate administrators about CSRF risks and the importance of not browsing untrusted sites while logged in
Patch Information
At the time of publication, users should monitor the GitHub Security Advisory for official patch releases from WWBN. Upgrading to a version beyond 26.0 that includes CSRF token validation is the recommended remediation.
Workarounds
- Configure web server or reverse proxy to reject requests to admin/playerUpdate.json.php that lack a valid Referer header from the same origin
- Implement network-level access controls to restrict administrative endpoint access to trusted IP addresses only
- Use browser extensions or policies that enforce strict cookie handling for administrative sessions
- Consider temporarily disabling external access to the administrative interface until a patch is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
