{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34613", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T17:15:52.501Z", "datePublished": "2026-03-31T20:45:50.839Z", "dateUpdated": "2026-04-01T18:44:06.444Z"}, "containers": {"cna": {"title": "AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:45:50.839Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-hqxf-mhfw-rc44", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:43:51.782873Z", "id": "CVE-2026-34613", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:44:06.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34613", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:43:51.782873Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:43:59.311Z"}}], "cna": {"title": "AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins", "source": {"advisory": "GHSA-hqxf-mhfw-rc44", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:45:50.839Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34613", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:44:06.444Z", "dateReserved": "2026-03-30T17:15:52.501Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:45:50.839Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck(), which means the ORM-level Referer/Origin domain validation in ObjectYPT::save() is also bypassed. Combined with SameSite=None on session cookies, an attacker can disable critical security plugins (such as LoginControl for 2FA, subscription enforcement, or access control plugins) by luring an admin to a malicious page. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34613", "lastModified": "2026-04-01T20:30:11.600", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:31.447", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-hqxf-mhfw-rc44"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-02T04:53:15.004064+00:00", "value": {"mitigation_remediation": ["Wait for an official vendor patch and upgrade to a fixed version as soon as it is released.", "If upgrading is not immediately possible, further restrict access to the AVideo admin interface by limiting network IP ranges or applying firewall rules so that only trusted hosts can reach the admin URL.", "Disable or block the pluginSwitch.json.php endpoint if the platform allows removing or protecting specific files, thereby preventing CSRF attempts from disabling plugins.", "Configure session cookies for the admin session with SameSite=Lax or Strict to reduce the chance that a CSRF request is accepted automatically.", "Monitor administrator logs for unexpected plugin enable/disable actions and investigate any suspicious changes immediately."], "summary": {"action": "Assess Impact", "impact": "Disabling critical security plugins"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, versions 26.0 and any earlier releases. No specific patch or version remedy is currently available from the vendor.", "description_and_impact": "The vulnerability is a CSRF flaw in the AVideo pluginSwitch.json.php endpoint, which allows an authenticated administrator to enable or disable any installed plugin without authentication beyond the admin session and without a CSRF token. An attacker can lure an admin to a malicious webpage that automatically performs the request because session cookies have SameSite=None, thereby turning off essential security measures such as two\u2011factor authentication, subscription enforcement, or access controls. The flaw enables the removal of security safeguards and could lead to system compromise or data exfiltration if a malicious admin user disables protective plugins.", "risk_and_exploitability": "The CVSS score of 6.5 reflects the significant impact on security controls. EPSS indicates a very low probability of exploitation (<1%), and the vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread publicly known exploits exist. The likely attack vector requires social engineering to convince a legitimate administrator to visit a malicious page, after which the CSRF request automatically disables the target plugin. Even with low exploitation probability, the loss of critical security functionality represents a high\u2011risk scenario for any installation with active security plugins."}}}}, "created": "2026-04-02T07:52:27.496756+00:00", "updated": "2026-04-02T20:10:41.821103+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}