{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33479", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.970Z", "datePublished": "2026-03-23T14:05:55.725Z", "dateUpdated": "2026-03-23T14:59:02.375Z"}, "containers": {"cna": {"title": "AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh"}, {"name": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:05:55.725Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution \u2014 requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch."}], "source": {"advisory": "GHSA-xggw-g9pm-9qhh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T14:58:56.846573Z", "id": "CVE-2026-33479", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:59:02.375Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33479", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:16:48.970Z", "datePublished": "2026-03-23T14:05:55.725Z", "dateUpdated": "2026-03-23T14:59:02.375Z"}, "containers": {"cna": {"title": "AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh"}, {"name": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T14:05:55.725Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution \u2014 requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch."}], "source": {"advisory": "GHSA-xggw-g9pm-9qhh", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33479", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-23T14:58:56.846573Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T14:58:50.744Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution \u2014 requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el plugin Gallery, en su endpoint 'saveSort.json.php', pasa entrada de usuario no saneada de los valores del array '$_REQUEST['sections']' directamente a la funci\u00f3n 'eval()' de PHP. Aunque el endpoint est\u00e1 protegido por `User::isAdmin()`, no tiene validaci\u00f3n de token CSRF. Combinado con la configuraci\u00f3n expl\u00edcita de la cookie de sesi\u00f3n `SameSite=None` de AVideo, un atacante puede explotar esto mediante falsificaci\u00f3n de petici\u00f3n en sitios cruzados para lograr ejecuci\u00f3n remota de c\u00f3digo no autenticada \u2014 requiriendo solo que un administrador visite una p\u00e1gina controlada por el atacante. El commit 087dab8841f8bdb54be184105ef19b47c5698fcb contiene un parche."}], "id": "CVE-2026-33479", "lastModified": "2026-03-24T18:48:38.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T15:16:34.220", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T20:45:26.954292+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to the patched release that includes commit 087dab8841f8bdb54be184105ef19b47c5698fcb, or any version later than 26.0 that removes eval() usage."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source AVideo platform distributed by WWBN. All releases through version 26.0 are impacted; newer releases are not listed as affected.", "description_and_impact": "In versions of the WWBN AVideo video platform up to and including 26.0, the Gallery plugin\u2019s saveSort.json.php endpoint incorporates user\u2011supplied values from the sections parameter directly into a PHP eval() call without sanitization. Although the endpoint is accessible only to administrators, it lacks CSRF token validation and the platform\u2019s SameSite=None session cookie configuration permits cross\u2011site request forgery. As a result, an attacker can trigger arbitrary PHP code execution on the server simply by getting an administrator to visit a malicious page.", "risk_and_exploitability": "The CVSS v3.1 score of 8.8 indicates high severity, and the EPSS score of under 1% suggests a low probability of exploitation in the wild, yet the presence of a fully remote code execution vector means an exploit would have catastrophic impact. Because the flaw can be triggered via CSRF against an admin session, any authenticated administrator who visits an attacker\u2011controlled page is at risk. The vulnerability is not currently listed in the CISA KEV catalog, but the lack of mitigation in the affected code base makes it a high\u2011priority target for attackers."}}}}, "created": "2026-03-24T10:33:48.426096+00:00", "updated": "2026-03-25T21:28:04.371595+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}