CVE-2026-35181

CVE-2026-35181 is a medium-severity cross-site request forgery (CSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.

Summary

Severity: Medium
CWE: CWE-352 (Cross-Site Request Forgery)

The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Details

In admin/playerUpdate.json.php at line 17, the player skin is set directly from POST data:

$pluginDO->skin = $_POST['skin'];

No CSRF token is validated anywhere in the endpoint. Normally, the ORM layer performs a Referer/Origin domain check as a secondary defense against cross-origin writes. However, the plugins table is registered in ignoreTableSecurityCheck(), which explicitly bypasses this ORM-level protection for plugin configuration.

AVideo's session cookies are configured with SameSite=None, meaning the admin's authenticated session cookie is automatically included in cross-origin POST requests from any website.

An attacker can craft a page that, when visited by an authenticated admin, silently changes the player skin to any value, including potentially invalid or disruptive configurations.

Proof of Concept

Host the following HTML on an attacker-controlled domain:

<!DOCTYPE html>
<html>
<head><title>CSRF Player Skin</title></head>
<body>
<h1>Loading video...</h1>
<form id="csrf" method="POST"
      action="https://your-avideo-instance.com/admin/playerUpdate.json.php">
  <input type="hidden" name="skin" value="minimalist" />
</form>
<script>
  document.getElementById("csrf").submit();
</script>
</body>
</html>

When an authenticated admin visits this page, the platform's player skin is changed without their knowledge.

Impact

  • Platform-wide player appearance modification without admin consent
  • Potential disruption of video playback if an invalid skin value is set
  • The ORM security bypass via ignoreTableSecurityCheck() means there is no fallback protection
  • Can be used as part of a broader defacement or social engineering attack

A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.

CVE-2026-35181 has a CVSS score of 4.3 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 26.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add CSRF token validation at admin/playerUpdate.json.php, before processing POST data:

// admin/playerUpdate.json.php (before line 17)
if (!isGlobalTokenValid()) {
    die('{"error":"Invalid CSRF token"}');
}

Found by aisafe.io

Frequently Asked Questions

  1. What is CVE-2026-35181? CVE-2026-35181 is a medium-severity cross-site request forgery (CSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
  2. How severe is CVE-2026-35181? CVE-2026-35181 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-35181? wwbn/avideo (composer) versions <= 26.0 is affected.
  4. Is there a fix for CVE-2026-35181? No fixed version is listed for CVE-2026-35181 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-35181 exploitable, and should I be worried? Whether CVE-2026-35181 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-35181 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-35181? No fixed version is listed yet. In the interim: Use per-session CSRF tokens on all state-changing operations and verify them server-side. SameSite cookie attributes provide additional defense.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.