Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40928

CVE-2026-40928: Wwbn Avideo CSRF Vulnerability

CVE-2026-40928 is a CSRF flaw in Wwbn Avideo that allows attackers to manipulate victim sessions through malicious pages. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-40928 Overview

CVE-2026-40928 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the WWBN AVideo open source video platform. The flaw exists in multiple JSON endpoints under the objects/ directory that accept state-changing requests via $_REQUEST/$_GET and persist changes tied to the caller's session user without implementing any anti-CSRF token, origin check, or referer validation.

A malicious page visited by a logged-in victim can silently perform unauthorized actions including casting or flipping likes/dislikes on comments via objects/comments_like.json.php, posting comments authored by the victim with attacker-chosen text via objects/commentAddNew.json.php, and deleting assets from categories via objects/categoryDeleteAssets.json.php when the victim has category management rights.

Critical Impact

Attackers can perform unauthorized actions on behalf of authenticated users, including manipulating comments, posting content, and deleting category assets through simple HTML-based attacks requiring only victim page visits.

Affected Products

  • WWBN AVideo versions 29.0 and prior
  • All AVideo installations with accessible objects/ JSON endpoints
  • Deployments where users have category management permissions

Discovery Timeline

  • 2026-04-21 - CVE CVE-2026-40928 published to NVD
  • 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-40928

Vulnerability Analysis

This Cross-Site Request Forgery vulnerability stems from the complete absence of request validation mechanisms in multiple AVideo JSON endpoints. The affected endpoints process state-changing operations directly from user requests without verifying the request origin or validating anti-CSRF tokens.

The vulnerable endpoints include:

  • objects/comments_like.json.php - Handles like/dislike operations on comments
  • objects/commentAddNew.json.php - Processes new comment submissions
  • objects/categoryDeleteAssets.json.php - Manages asset deletion within categories

Each endpoint accepts parameters via PHP's $_REQUEST or $_GET superglobals, which automatically associates the authenticated user's session with any incoming request. This design flaw allows cross-origin requests from attacker-controlled pages to execute privileged operations.

Root Cause

The root cause is the lack of anti-CSRF protections in the affected JSON endpoints. The application fails to implement any of the standard CSRF defense mechanisms including synchronizer tokens, SameSite cookie attributes, origin header validation, or referer checking. This allows any external website to craft requests that execute with the privileges of authenticated AVideo users.

Attack Vector

Exploitation requires a logged-in AVideo user to visit an attacker-controlled web page. The attack can be executed through various HTML elements that trigger cross-origin requests:

  • Simple <img src="..."> tags pointing to vulnerable endpoints
  • Auto-submitting HTML forms with hidden fields
  • JavaScript-based fetch or XMLHttpRequest calls

Since the endpoints respond to GET requests and use session cookies for authentication, browsers automatically include the victim's credentials when loading attacker-crafted resources. The attack is entirely silent from the victim's perspective, requiring no interaction beyond loading the malicious page.

php
// Security patch in objects/categoryDeleteAssets.json.php
// Source: https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c
     $obj->msg = __("Permission denied");
     die(json_encode($obj));
 }
-
+forbidIfIsUntrustedRequest('categoryDeleteAssets');
 if (!Category::deleteAssets($obj->id)) {
     $obj->error = false;
 }else{

The patch introduces the forbidIfIsUntrustedRequest() function call that validates requests before processing sensitive operations.

php
// Security patch in objects/commentAddNew.json.php
// Source: https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c
     $obj->msg = __("Permission denied");
     die(json_encode($obj));
 }
+forbidIfIsUntrustedRequest('commentAddNew');
 
 function isCommentASpam($comment, $videos_id)
 {

Detection Methods for CVE-2026-40928

Indicators of Compromise

  • Unexpected comment activity on videos from authenticated user accounts
  • Unusual like/dislike patterns on comments that users deny initiating
  • Category asset deletions without corresponding administrator actions
  • HTTP access logs showing requests to objects/*.json.php endpoints with external referer headers

Detection Strategies

  • Monitor web server logs for requests to vulnerable endpoints with referer headers from external domains
  • Implement anomaly detection for rapid successive requests to comment and like endpoints from single users
  • Review authentication logs for sessions making requests during times users report not being active
  • Deploy web application firewall rules to flag cross-origin requests to sensitive JSON endpoints

Monitoring Recommendations

  • Enable detailed logging for all objects/ directory endpoints including full request headers
  • Configure alerts for requests to state-changing endpoints originating from non-application domains
  • Implement user activity dashboards allowing users to review recent account actions
  • Monitor for patterns of simultaneous requests across multiple user sessions from similar source IPs

How to Mitigate CVE-2026-40928

Immediate Actions Required

  • Update AVideo to a version containing commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c or later
  • Review recent comment, like, and category modification activity for suspicious patterns
  • Notify users with category management permissions about potential unauthorized actions
  • Consider temporarily restricting access to the vulnerable endpoints if immediate patching is not possible

Patch Information

The vulnerability is addressed in commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c. The fix introduces request validation through the forbidIfIsUntrustedRequest() function across the affected endpoints. This function validates that requests originate from trusted sources before processing state-changing operations.

For detailed patch information, refer to the GitHub Security Advisory and the commit containing the fix.

Workarounds

  • Implement a web application firewall rule to block requests to objects/*.json.php endpoints with external or missing referer headers
  • Configure the application behind a reverse proxy that validates the Origin header on all POST and state-changing GET requests
  • Restrict network access to the AVideo administrative interface to trusted IP ranges
  • Educate users about the risks of visiting untrusted websites while logged into AVideo
bash
# Example Apache configuration to block external referers to vulnerable endpoints
# Add to .htaccess or Apache configuration
<Directory "/var/www/avideo/objects">
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^https?://your-avideo-domain\.com [NC]
    RewriteRule \.(json\.php)$ - [F,L]
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne