CVE-2026-35181 — Cross-Site Request Forgery in Avideo

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

4.3MEDIUMNVD

EPSS

0.0%

top 95.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateApr 3

PublishedApr 6

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5wwbn/avideo26.0

▶Packagistwwbn/avideo26.0

🔴Vulnerability Details

GHSA

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php↗2026-04-03

▶

OSV

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php↗2026-04-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-35181 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶