CVE-2026-33479
Published: 23 March 2026
Summary
CVE-2026-33479 is a high-severity Code Injection (CWE-94) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents code injection by requiring validation and sanitization of unsanitized user input from $_REQUEST['sections'] before passing to PHP's eval() function.
Ensures timely application of the patch (commit 087dab8841f8bdb54be184105ef19b47c5698fcb) that sanitizes input, comprehensively remediating the specific flaw.
Mitigates CSRF exploitation of the admin-only endpoint lacking token validation by enforcing session authenticity mechanisms like CSRF tokens, blocking forged requests via SameSite=None cookies.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a code injection flaw in a public-facing web application's admin endpoint, exploitable via CSRF for unauthenticated RCE, directly mapping to exploitation of public-facing applications.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`,…
more
it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.
Deeper analysisAI
CVE-2026-33479 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the Gallery plugin's `saveSort.json.php` endpoint, which passes unsanitized user input from the `$_REQUEST['sections']` array values directly into PHP's `eval()` function, enabling code injection (CWE-94). The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant impact.
An attacker can exploit this vulnerability via cross-site request forgery (CSRF), as the endpoint is protected only by `User::isAdmin()` authentication with no CSRF token validation. AVideo's explicit `SameSite=None` configuration on session cookies allows an attacker's malicious page to forge a request from an authenticated admin's browser when the admin visits the attacker-controlled site. This results in unauthenticated remote code execution on the server.
The GitHub security advisory (GHSA-xggw-g9pm-9qhh) and patch commit (087dab8841f8bdb54be184105ef19b47c5698fcb) detail the fix, which sanitizes the input before evaluation to prevent code injection. Security practitioners should update to a patched version beyond 26.0 and consider implementing CSRF protections on admin endpoints as a general best practice.
Details
- CWE(s)