CVE-2026-40926 - Vulnerability Analysis
HighCVSS: 7.1Last Updated: April 23, 2026
WWBN AVideo - Cross-Site Request Forgery
Published: April 21, 2026Updated: April 23, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 29.0 contains a cross-site request forgery caused by missing CSRF token validation in admin-only JSON endpoints, letting attackers force category changes and plugin update script execution via a logged-in admin, exploit requires admin user interaction.
Severity & Score
Severity: High
CVSS Score: 7.1
Impact
Attackers can manipulate categories and execute plugin update scripts with admin privileges, potentially compromising the system.
Mitigation
Update to the fixed version containing commit ee5615153c40628ab3ec6fe04962d1f92e67d3e2 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40926
- Severity
- High
- CVSS Score
- 7.1
- Type
- cross_site_request_forgery
- Status
- confirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L