Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-43880

CVE-2026-43880: WWBN AVideo Auth Bypass Vulnerability

CVE-2026-43880 is an authentication bypass flaw in WWBN AVideo that allows unauthenticated attackers to send phishing emails using the site's legitimate SMTP infrastructure. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-43880 Overview

CVE-2026-43880 affects WWBN AVideo, an open source video platform, in all versions up to and including 29.0. The vulnerability resides in objects/sendEmail.json.php, which is allow-listed as a public write action in objects/functionsSecurity.php at line 885. When the contactForm parameter is omitted, the endpoint accepts an attacker-supplied recipient and uses the site's own contact email as the From: and Reply-To: headers. An unauthenticated attacker who solves the captcha can abuse the site's Simple Mail Transfer Protocol (SMTP) infrastructure to deliver attacker-composed emails from the site's legitimate sender address. The vulnerability is tracked under [CWE-940: Improper Verification of Source of a Communication Channel].

Critical Impact

Unauthenticated attackers can send emails from the site's legitimate address that pass SPF, DKIM, and DMARC validation, enabling targeted phishing and brand impersonation.

Affected Products

  • WWBN AVideo versions up to and including 29.0
  • objects/sendEmail.json.php endpoint
  • Deployments using the site's configured contact email and SMTP infrastructure

Discovery Timeline

  • 2026-05-11 - CVE-2026-43880 published to NVD
  • 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-43880

Vulnerability Analysis

The flaw is a missing authentication check on a mail-sending endpoint. objects/sendEmail.json.php exposes two execution paths controlled by the contactForm POST parameter. When contactForm=1 is submitted, the endpoint behaves as a standard contact form. When the parameter is omitted, the endpoint treats the request as a share or arbitrary-recipient path and sets $sendTo to an attacker-controlled email address.

For unauthenticated callers, User::getEmail_() returns an empty string. The code then falls back to $config->getContactEmail() for the reply address, and $mail->setFrom($replyTo) sets the outgoing From: header to the site's own contact address. The endpoint is explicitly allow-listed as a public write action in objects/functionsSecurity.php at line 885, bypassing both authentication and Cross-Site Request Forgery (CSRF) token checks.

Root Cause

The root cause is improper verification of the source of a communication channel. The mail-sending logic does not require authentication for the arbitrary-recipient code path, and it derives the sender identity from server-side configuration rather than from the authenticated caller. Combined with the public allow-list entry, this lets any captcha-solving client direct outbound mail from the site's trusted domain.

Attack Vector

An attacker submits a POST request to objects/sendEmail.json.php without contactForm=1, supplies an arbitrary recipient address and message body, and solves the captcha. The resulting email leaves the site's SMTP infrastructure with the site's contact address in the From: and Reply-To: headers. SPF, DKIM, and DMARC checks pass because the message originates from the legitimate domain, making the email indistinguishable from genuine site communications.

php
 if(User::isAdmin()){
     $valid = true;
 }
+
+// Reject the arbitrary-recipient (share) path for unauthenticated callers.
+// Without this guard an unauthenticated attacker can force the site's own
+// SMTP infrastructure to send attacker-composed mail to any recipient:
+// User::getEmail_() returns '' when not logged in, so $replyTo falls back
+// to $config->getContactEmail(), and $mail->setFrom($replyTo) makes the
+// message appear to originate From the site's own legitimate address --
+// passing SPF/DKIM/DMARC and enabling targeted phishing / brand impersonation.
+if (empty($_POST['contactForm']) && !User::isLogged()) {
+    $obj = new stdClass();
+    $obj->error = __('Authentication required');
+    header('Content-Type: application/json');
+    echo json_encode($obj);
+    exit;
+}
+
 $obj = new stdClass();
 $obj->error = '';
 if ($valid) {

Source: GitHub Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2

Detection Methods for CVE-2026-43880

Indicators of Compromise

  • POST requests to objects/sendEmail.json.php without a contactForm=1 parameter from unauthenticated sessions.
  • Outbound SMTP messages originating from the AVideo host with From: set to the configured contact email but addressed to recipients outside the user base.
  • Spikes in outbound mail volume from the AVideo SMTP relay correlated with anonymous web traffic.
  • User reports of phishing emails passing SPF, DKIM, and DMARC for the site's domain.

Detection Strategies

  • Inspect web server access logs for requests to objects/sendEmail.json.php and flag any lacking the contactForm parameter.
  • Correlate captcha-solve events with subsequent SMTP send operations to identify abuse patterns.
  • Apply mail gateway rules that compare outbound recipient addresses against the registered user directory.

Monitoring Recommendations

  • Enable verbose SMTP logging on the AVideo host and forward logs to a centralized analytics platform.
  • Alert on outbound message rates exceeding baseline thresholds for the site's contact email identity.
  • Monitor reverse DNS and domain reputation services for new reports of phishing originating from the site's domain.

How to Mitigate CVE-2026-43880

Immediate Actions Required

  • Apply the upstream fix from commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 to all AVideo deployments running version 29.0 or earlier.
  • Audit recent outbound mail logs for messages sent through objects/sendEmail.json.php and notify affected recipients of potential phishing.
  • Rotate any credentials, tokens, or links that may have been disclosed in attacker-composed emails sent from the site.

Patch Information

The maintainers published an updated fix in commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2. The patch rejects the arbitrary-recipient path when contactForm is empty and the caller is not logged in, returning an Authentication required JSON error. Details are documented in GitHub Security Advisory GHSA-5hgj-7gm9-cff5.

Workarounds

  • Remove sendEmail.json.php from the public write-action allow-list in objects/functionsSecurity.php until the patch can be applied.
  • Block unauthenticated POST requests to objects/sendEmail.json.php at the web application firewall or reverse proxy layer.
  • Restrict the SMTP relay so it only accepts mail destined for known user addresses associated with the platform.
bash
# Web server rule to block unauthenticated arbitrary-recipient requests
location = /objects/sendEmail.json.php {
    if ($request_method = POST) {
        set $block 1;
    }
    if ($arg_contactForm = "1") {
        set $block 0;
    }
    if ($cookie_PHPSESSID = "") {
        set $block 1;
    }
    if ($block = 1) {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.