Home / Vulnerability Intelligence / CVE-2026-34611

CVE-2026-34611 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: April 1, 2026

WWBN AVideo - Cross-Site Request Forgery

Published: March 31, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable

Overview

WWBN AVideo <= 26.0 contains a cross-site request forgery caused by missing CSRF token validation in objects/emailAllUsers.json.php endpoint, letting attackers send arbitrary HTML emails as admin, exploit requires admin to visit attacker page.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Attackers can send arbitrary HTML emails to all users appearing from legitimate SMTP, enabling phishing or social engineering attacks.

Mitigation

Update to the latest version when patches become available.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-c4xj-x7p8-3x7q

Related Resources

Details

CVE ID: CVE-2026-34611
Severity: Medium
CVSS Score: 6.5
Type: cross_site_request_forgery
Status: confirmed

CWE

CWE-352

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N