CVE-2026-43877 Overview
CVE-2026-43877 is a Cross-Site Request Forgery [CWE-352] vulnerability in WWBN AVideo, an open source video platform. The flaw affects all versions up to and including 29.0. The legacy objects/userSavePhoto.php endpoint accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png without CSRF protection. Because the file does not end in .json.php, it is excluded from the project's global autoCSRFGuard. An attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and trigger a site-wide clearCache(true) on every forged request.
Critical Impact
Authenticated victims visiting attacker-controlled pages can have their profile photo replaced with arbitrary bytes, and each forged request also flushes the site-wide cache.
Affected Products
- WWBN AVideo versions up to and including 29.0
- objects/userSavePhoto.php legacy profile-photo endpoint
- objects/userSaveBackground.php related background image endpoint
Discovery Timeline
- 2026-05-11 - CVE-2026-43877 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43877
Vulnerability Analysis
The vulnerability resides in objects/userSavePhoto.php, a legacy profile-photo upload endpoint. Its only access control check is User::isLogged(), which verifies session presence but not request origin. The endpoint accepts a base64-encoded POST parameter and decodes the bytes directly to disk at videos/userPhoto/photo<users_id>.png.
AVideo enforces global CSRF defenses through autoCSRFGuard, configured in objects/include_config.php. However, the guard is suffix-scoped and only applies to files ending in .json.php. Because userSavePhoto.php does not match that suffix, requests bypass the global CSRF middleware entirely.
The endpoint additionally lacks an Origin or Referer header check and performs no MIME validation on the decoded bytes. Each forged request also calls clearCache(true), propagating cache invalidation site-wide.
Root Cause
The root cause is a missing CSRF token combined with a suffix-scoped CSRF guard. AVideo's default cookie policy is SameSite=None; Secure on HTTPS, as set in objects/functionsPHP.php:227. This permits browsers to attach session cookies to cross-site POST requests, enabling silent forgery against authenticated users.
Attack Vector
An attacker hosts a malicious page that submits a cross-origin POST to /objects/userSavePhoto.php with an attacker-controlled base64 payload. When a logged-in AVideo user visits the page, the browser attaches the session cookie due to the permissive SameSite policy. The server decodes the bytes, overwrites photo<users_id>.png, and triggers clearCache(true).
// Patch excerpt: objects/functionsImages.php
// Adds normalization and size estimation for base64 image input
function normalizeBase64ImageData($imgBase64)
{
$imgBase64 = trim((string) $imgBase64);
if ($imgBase64 === '') {
return '';
}
if (preg_match('/^data:image\/[a-z0-9.+-]+;base64,/i', $imgBase64)) {
$parts = explode(',', $imgBase64, 2);
$imgBase64 = $parts[1] ?? '';
}
$imgBase64 = str_replace(' ', '+', $imgBase64);
return preg_replace('/\s+/', '', $imgBase64);
}
// objects/userSaveBackground.php now invokes the request trust check
forbidIfIsUntrustedRequest('userSaveBackground');
Source: GitHub Commit 9c38468
Detection Methods for CVE-2026-43877
Indicators of Compromise
- POST requests to /objects/userSavePhoto.php or /objects/userSaveBackground.php with a Referer or Origin header from an external domain.
- Unexpected modifications to videos/userPhoto/photo<users_id>.png outside normal user profile update workflows.
- Sudden bursts of clearCache(true) events correlated with unauthenticated-looking cross-site POSTs.
Detection Strategies
- Inspect web server access logs for POST traffic to userSavePhoto.php lacking a same-origin Referer or with no CSRF token field.
- Hash and baseline files in videos/userPhoto/ and alert on unexpected overwrites tied to active sessions.
- Correlate cache-clear events with profile photo writes to surface forged request chains.
Monitoring Recommendations
- Enable verbose request logging on legacy PHP endpoints not covered by autoCSRFGuard.
- Forward web access logs and PHP application logs to a central SIEM for anomaly correlation.
- Alert on cross-origin POSTs to authenticated endpoints when session cookies are present.
How to Mitigate CVE-2026-43877
Immediate Actions Required
- Upgrade WWBN AVideo to a release containing commit 9c38468041505e637101c5943c5370c68f48e3ac.
- Audit all PHP endpoints outside the .json.php suffix scope for missing CSRF protection.
- Review videos/userPhoto/ for recently overwritten image files and restore from backup if tampering is suspected.
Patch Information
The fix is delivered in commit 9c38468041505e637101c5943c5370c68f48e3ac. The patch introduces normalizeBase64ImageData() and estimateBase64DecodedSize() helpers in objects/functionsImages.php and invokes forbidIfIsUntrustedRequest() on the affected endpoints. See the GitHub Security Advisory GHSA-jw8g-5j46-44rp for the full advisory.
Workarounds
- Restrict access to objects/userSavePhoto.php and objects/userSaveBackground.php at the web server layer until patched.
- Enforce a stricter cookie policy by overriding the default SameSite=None setting in objects/functionsPHP.php where compatible with deployment requirements.
- Add a reverse-proxy rule that rejects POSTs to these endpoints when Origin or Referer does not match the site's own domain.
# Example nginx rule rejecting cross-origin POSTs to the vulnerable endpoints
location ~ ^/objects/(userSavePhoto|userSaveBackground)\.php$ {
if ($request_method = POST) {
set $allow 0;
if ($http_origin ~* ^https://your-avideo-domain\.com$) { set $allow 1; }
if ($http_referer ~* ^https://your-avideo-domain\.com/) { set $allow 1; }
if ($allow = 0) { return 403; }
}
include fastcgi_params;
fastcgi_pass php-upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
