CVE-2026-40929 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: April 23, 2026
WWBN AVideo - Cross-Site Request Forgery
Published: April 21, 2026Updated: April 23, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 29.0 contains a cross-site request forgery vulnerability caused by lack of CSRF validation in objects/commentDelete.json.php, letting authenticated users with delete authority be tricked into deleting comments via cross-site requests.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Authenticated users with delete permissions can be tricked into deleting comments, leading to unauthorized data modification and disruption.
Mitigation
Update to the version including commit 184f36b1896f3364f864f17c1acca3dd8df3af27 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-40929
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- cross_site_request_forgery
- Status
- confirmed
CWE
- CWE-352
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L