Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content.

INFO

Published Date :

2026-04-06T19:06:46.447Z

Last Modified :

2026-04-07T14:44:34.133Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35180 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35180.

URL Resource
https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact