CVE-2026-33479

AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.

INFO

Published Date :

2026-03-23T14:05:55.725Z

Last Modified :

2026-03-23T14:59:02.375Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-33479 vulnerability.

Vendors	Products
Wwbn	Avideo

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33479.

URL	Resource
https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb
https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact