CVE-2026-35180

Exploit

EPSS 0.11%
Veröffentlicht 06.04.2026 19:06:46
Zuletzt bearbeitet 15.04.2026 18:42:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wwbn ≫ Avideo Version <= 26.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.017

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c

Vendor Advisory

Exploit

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-35180

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-35180

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-35180

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-35180