CVE-2026-40926
Published: 21 April 2026
Summary
CVE-2026-40926 is a high-severity CSRF (CWE-352) vulnerability in Wwbn Avideo. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect session authenticity, directly mitigating CSRF by ensuring state-changing requests from admin sessions include valid tokens beyond role checks.
SI-10 mandates validation of information inputs at endpoints, directly addressing the omission of CSRF token checks on vulnerable JSON endpoints.
SI-2 ensures timely flaw remediation, such as applying the patch that adds missing CSRF validations to the affected admin endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln requires luring logged-in admin to malicious page to trigger state-changing requests on admin endpoints, directly enabling exploitation via malicious link (T1204.001) and spearphishing link delivery (T1566.002).
NVD Description
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php` — enforce only a role check (`Category::canCreateCategory()` / `User::isAdmin()`) and perform state-changing actions against the database without calling…
more
`isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`. Peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`) do enforce the CSRF token, so the missing checks are an omission rather than a design choice. An attacker who lures a logged-in admin to a malicious page can create, update, or delete categories and force execution of any installed plugin's `updateScript()` method in the admin's session. Commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 contains a fix.
Deeper analysisAI
WWBN AVideo, an open source video platform, is affected by CVE-2026-40926, a CSRF vulnerability (CWE-352) in versions 29.0 and prior. The issue impacts three admin-only JSON endpoints—`objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRunUpdateScript.json.php`—which perform state-changing database actions after only role-based checks like `Category::canCreateCategory()` or `User::isAdmin()`. These endpoints omit CSRF protections such as `isGlobalTokenValid()` or `forbidIfIsUntrustedRequest()`, unlike peer endpoints in the same directory (`pluginSwitch.json.php`, `pluginRunDatabaseScript.json.php`), indicating an implementation oversight rather than intentional design.
An attacker can exploit this vulnerability over the network with low complexity and no required privileges, but it demands user interaction from a logged-in administrator (CVSS 7.1: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L). By luring the admin to a malicious page, the attacker can trigger cross-site requests in the victim's session to create, update, or delete categories, or force execution of any installed plugin's `updateScript()` method, potentially leading to high integrity impacts and low availability disruption.
The GitHub security advisory (GHSA-ffw8-fwxp-h64w) and commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 detail the fix, which adds the missing CSRF token validations to the vulnerable endpoints. Security practitioners should update to a patched version beyond 29.0 and verify CSRF protections on all state-changing admin endpoints.
Details
- CWE(s)