VYPR
Medium severity4.3NVD Advisory· Published Apr 6, 2026· Updated Apr 15, 2026

CVE-2026-35180

CVE-2026-35180

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • WWBN/Avideo2 versions
    cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*range: <=26.0
    • (no CPE)range: <=26.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.