Critical AVideo XSS Vulnerability Exposes Admin Settings
A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-40925, impacts WWBN AVideo versions 29.0 and prior. The National Vulnerability Database reports that the objects/configurationUpdate.json.php endpoint, also accessible via /updateConfig, is inadequately protected. While it checks for User::isAdmin(), it crucially omits forbidIfIsUntrustedRequest(), globalToken verification, and Origin/Referer header validation.
This flaw allows an attacker to exploit AVideo’s intentional session.cookie_samesite=None setting. A logged-in administrator merely visiting an attacker-controlled webpage can trigger a cross-origin POST request. This single request can rewrite critical site settings, including the encoder URL, SMTP credentials, site <head> HTML, logo, favicon, and contact email, leading to significant site compromise. The National Vulnerability Database indicates the fix is in commit f9492f5e6123dff0292d5bb3164fde7665dc36b4, with a CVSS score of 8.3 (HIGH).
For defenders, this is a classic case of overlooked security controls enabling a potent client-side attack. The attacker’s calculus is simple: trick an admin into visiting a malicious page, and the browser does the rest. The impact is direct administrative control and potential for widespread secondary attacks via compromised site content.
What This Means For You
- If your organization uses WWBN AVideo, immediately check your version. Patch to a version beyond 29.0, specifically applying the fix in commit `f9492f5e6123dff0292d5bb3164fde7665dc36b4`. Audit your AVideo configuration for any unauthorized changes to critical settings like encoder URLs, SMTP credentials, or site HTML.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
AVideo objects/configurationUpdate.json.php POST Request - CVE-2026-40925
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40925 | CSRF | WWBN AVideo versions 29.0 and prior |
| CVE-2026-40925 | CSRF | Vulnerable endpoint: objects/configurationUpdate.json.php (or /updateConfig) |
| CVE-2026-40925 | CSRF | Missing security checks: forbidIfIsUntrustedRequest(), globalToken validation, Origin/Referer header validation |
| CVE-2026-40925 | Misconfiguration | session.cookie_samesite=None facilitating cross-origin attacks |
| CVE-2026-40925 | Information Disclosure | Potential modification of sensitive settings: encoder URL, SMTP credentials, site HTML, logo, favicon, contact email |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
HKUDS OpenHarness Default Config Exposes Systems (CVE-2026-6823)
CVE-2026-6823 — HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit allow_from = ["*"] permitting arbitrary remote...
Critical RCE in AVideo YPTSocket Plugin: Unauthenticated Account Takeover
CVE-2026-40911 — WWBN AVideo is an open source video platform. In versions 29.0 and prior, the YPTSocket plugin's WebSocket server relays attacker-supplied JSON message bodies...
CRITICAL SQLi in ElectricSQL: Full Database Compromise
CVE-2026-40906 — Electric is a Postgres sync engine. From 1.1.12 to before 1.5.0, the order_by parameter in the ElectricSQL /v1/shape API is vulnerable to error-based...