CVE-2026-34394Cross-Site Request Forgery in Avideo

CWE-352Cross-Site Request Forgery4 documents4 sources
Severity
8.1HIGHNVD
EPSS
0.0%
top 96.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 31

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint (admin/save.json.php) lacks any CSRF token validation. There is no call to isGlobalTokenValid() or verifyToken() before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin POST requests from a malicious page to overwrite arbitrary plugin settings on a victim administrator's session. Because the plugins

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

🔴Vulnerability Details

2
OSV
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking2026-03-31
GHSA
AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking2026-03-31

🕵️Threat Intelligence

1
Wiz
CVE-2026-34394 Impact, Exploitability, and Mitigation Steps | Wiz