CVE-2026-40928 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: April 23, 2026
WWBN AVideo - Cross-Site Request Forgery
Published: April 21, 2026Updated: April 23, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 29.0 contains a cross-site request forgery caused by lack of anti-CSRF tokens and origin checks in multiple JSON endpoints under objects/, letting attackers force logged-in users to perform state-changing actions like liking comments, posting comments, or deleting assets, exploit requires victim to load attacker-controlled HTML.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Attackers can force logged-in users to perform unwanted actions, potentially leading to unauthorized content changes or asset deletions.
Mitigation
Update to a version including commit 7aaad601bd9cd7b993ba0ee1b1bea6c32ee7b77c or later
References
Related Resources
Details
- CVE ID
- CVE-2026-40928
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- cross_site_request_forgery
- Status
- confirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L