CVE-2026-45610EPSS p1.5%

CVE-2026-45610CVE-2026-45610

wwbn / avideo

Description

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FA(User::getId(), false) on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest() call, no isTokenValid() check, no X-CSRF-Token/SameSite enforcement, and no re-authentication step. A cross-origin page that the victim visits while logged into the AVideo dashboard issues the POST via a hidden form (or fetch without credentials:"omit") and disables the victim's 2FA in one request.

Scoring

CVSS 5.7 ()
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS0.11% probability of exploitation · percentile 1.5% · 2026-06-18T12:00:27Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34394
CVE
CVE-2026-40925
CVE
CVE-2026-41056
CVE
CVE-2026-33502
CVE
CVE-2026-33649
CVE
CVE-2026-33351
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.