AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie_samesite = 'None' for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hv36-p4w4-6vmjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33507ghsaADVISORY
- github.com/WWBN/AVideo/commit/d1bc1695edd9ad4468a48cea0df6cd943a2635f3ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.