CVE-2026-33507
Published: 23 March 2026
Summary
CVE-2026-33507 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms such as CSRF tokens to protect session authenticity, directly preventing forged requests to the plugin import endpoint.
CM-11 prohibits or controls user-installed software like unverified plugin ZIPs, blocking installation of malicious PHP webshells.
CM-6 enforces secure configuration settings for session cookies, such as SameSite=Lax or Strict, to block cross-site transmission exploited here.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing plugin upload endpoint directly enables T1190 exploitation; malicious ZIP installs PHP webshell (T1505.003) for RCE.
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/pluginImport.json.php` endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the…
more
application explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server. Commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 contains a patch.
Deeper analysisAI
CVE-2026-33507 is a cross-site request forgery (CSRF) vulnerability affecting WWBN AVideo, an open-source video platform, in versions up to and including 26.0. The issue resides in the `objects/pluginImport.json.php` endpoint, which permits admin users to upload and install plugin ZIP files containing executable PHP code without any CSRF protection. This flaw is exacerbated by the application's configuration explicitly setting `session.cookie_samesite = 'None'` for HTTPS connections, enabling cross-origin session cookie transmission.
An unauthenticated attacker can exploit this vulnerability by crafting a malicious webpage that, when visited by an authenticated admin user, triggers a silent upload and installation of a malicious plugin ZIP archive. The plugin can include a PHP webshell, resulting in remote code execution (RCE) on the AVideo server. The attack requires user interaction (UI:R) from the admin but has low complexity (AC:L) and no privileges (PR:N), as reflected in its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It is associated with CWE-352 (Cross-Site Request Forgery).
The GitHub security advisory (GHSA-hv36-p4w4-6vmj) and patch commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3 detail the fix, which adds CSRF protection to the plugin import endpoint. Security practitioners should update to a patched version of AVideo beyond 26.0 and review configurations for SameSite cookie attributes to mitigate similar risks.
Details
- CWE(s)