Medium severity4.3NVD Advisory· Published Apr 6, 2026· Updated Apr 14, 2026
CVE-2026-35181
CVE-2026-35181
Description
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-4q27-4rrq-fx95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35181ghsaADVISORY
News mentions
0No linked articles in our index yet.