CVE-2026-40925
Published: 21 April 2026
Summary
CVE-2026-40925 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 directly mitigates CSRF by requiring protections for session authenticity, such as anti-CSRF tokens, origin validation, or referer checks on authenticated configuration update requests.
SI-10 mandates validation of POST inputs to the configuration endpoint, including CSRF tokens and untrusted request checks, preventing forged data persistence.
IA-11 requires re-authentication for sensitive configuration changes, blocking CSRF exploitation of existing admin sessions lacking fresh credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a CSRF vulnerability in the public-facing AVideo web application that allows unauthorized configuration changes via exploitation of the unprotected configuration endpoint.
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isAdmin()`. It does not call `forbidIfIsUntrustedRequest()`, does not…
more
verify a `globalToken`, and does not validate the Origin/Referer header. Because AVideo intentionally sets `session.cookie_samesite=None` to support cross-origin iframe embedding, a logged-in administrator who visits an attacker-controlled page will have the browser auto-submit a cross-origin POST that rewrites the site's encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more in a single request. Commit f9492f5e6123dff0292d5bb3164fde7665dc36b4 contains a fix.
Deeper analysisAI
CVE-2026-40925 is a cross-site request forgery (CSRF) vulnerability in WWBN AVideo, an open source video platform. The issue affects versions 29.0 and prior, specifically in the `objects/configurationUpdate.json.php` endpoint (also accessible via the `/updateConfig` route). This endpoint persists dozens of global site settings directly from `$_POST` data, protected only by a `User::isAdmin()` check. It lacks calls to `forbidIfIsUntrustedRequest()`, verification of a `globalToken`, and validation of the Origin or Referer header, enabling unauthorized configuration changes.
An attacker can exploit this vulnerability by tricking a logged-in administrator into visiting an attacker-controlled webpage. AVideo intentionally configures `session.cookie_samesite=None` to support cross-origin iframe embedding, allowing the browser to automatically submit a cross-origin POST request. This single request can overwrite critical site settings, including the encoder URL, SMTP credentials, site `<head>` HTML, logo, favicon, contact email, and more. The CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L) reflects its network accessibility, low complexity, lack of required privileges (beyond user interaction), high confidentiality and integrity impacts, and low availability impact.
Mitigation is available via a patch in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4. Security practitioners should review the GitHub security advisory at GHSA-vvfw-4m39-fjqf for full details on the fix and upgrade instructions.
Details
- CWE(s)