Zero Day MonitorZDM

← Back to list

4.3

CVE-2026-35181EXPLOITED

composer · wwbn/avideo

WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Description

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck(), removing the only other layer of defense. Combined with SameSite=None cookies, a cross-origin POST can modify the video player appearance on the entire platform.

Affected Products

Vendor	Product	Versions
composer	wwbn/avideo	composer/wwbn/avideo: <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-35181 | WWBN AVideo up to 26.0 Player Skin Configuration Endpoint playerUpdate.json.php ignoreTableSecurityCheck cross-site request forgery

→ No new info (linked only)

CVSS 3.14.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-352

PublishedApr 3, 2026

Last enriched3h agov2

Tags

GHSA-4q27-4rrq-fx95composerCVE-2026-35181

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35470EXP

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

MEDIUMCVE-2026-35179EXP

WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php

HIGHCVE-2026-29782

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

CRITICALCVE-2026-34989

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

HIGHCVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Actively Exploited

Apr 6, 2026

Updated: severity, activelyExploited, tags

Apr 6, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated severity to HIGH, marked as actively exploited, and added CVE-2026-35181 as a new tag.

severityactivelyExploitedtags

via VulDB

v13d ago

Initial creation