CVE-2026-40925 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: April 21, 2026
WWBN AVideo - Cross-Site Request Forgery
Overview
WWBN AVideo <= 29.0 contains a cross-site request forgery vulnerability caused by lack of CSRF protections in objects/configurationUpdate.json.php, letting attackers modify global site settings via a logged-in admin's browser, exploit requires admin login and victim interaction.
Severity & Score
Impact
Attackers can modify critical site settings including encoder URL, SMTP credentials, and site branding, potentially compromising site integrity and operations.
Mitigation
Update to the fixed commit including f9492f5e6123dff0292d5bb3164fde7665dc36b4 or latest version.
References
Social Media Activity(2 posts)
š CVE-2026-40925 - High (8.3) WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isA... š https://www.thehackerwire.com/vulnerability/CVE-2026-40925/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-40925 - High (8.3) WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also routed via `/updateConfig`) persists dozens of global site settings from `$_POST` but protects the endpoint only with `User::isA... š https://www.thehackerwire.com/vulnerability/CVE-2026-40925/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40925
- Severity
- High
- CVSS Score
- 8.3
- Type
- cross_site_request_forgery
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L