CVE-2026-34394HIGH 8.1EPSS p13.9%

CVE-2026-34394CVE-2026-34394

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins table is included in the ignoreTableSecurityCheck() array in objects/Object.php, standard table-level access controls are also bypassed. This allows a complete takeover of platform functionality by reconfiguring payment processors, authentication providers, cloud storage credentials, and more. At time of publication, there are no publicly available patches.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.23% probability of exploitation · percentile 13.9% · 2026-06-18T12:00:27Z
Published2026-03-31
Last modified2026-04-01

Underlying weaknesses· 1

CWE-352

References

  1. https://github.com/WWBN/AVideo/security/advisories/GHSA-4wwr-7h7c-chqr
  2. https://github.com/WWBN/AVideo/security/advisories/GHSA-4wwr-7h7c-chqr

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33649
CVE
CVE-2026-40925
CVE
CVE-2026-33479
CVE
CVE-2026-33507
CVE
CVE-2026-33502
CVE
CVE-2026-33719
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.