DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33507: CVE-2026-33507: Remote Code Execution via Cross-Site Request Forgery in WWBN AVideo

#security #cve #cybersecurity

CVE-2026-33507: Remote Code Execution via Cross-Site Request Forgery in WWBN AVideo

Vulnerability ID: CVE-2026-33507
CVSS Score: 8.8
Published: 2026-03-20

WWBN AVideo versions up to and including 26.0 are vulnerable to a Cross-Site Request Forgery (CSRF) flaw in the plugin upload mechanism. Due to an insecure session cookie configuration and missing request validation, an unauthenticated attacker can upload a malicious plugin by tricking an authenticated administrator into visiting a crafted webpage. This allows the attacker to deploy a web shell and achieve Remote Code Execution (RCE) on the underlying server.

TL;DR

A CSRF vulnerability in AVideo's plugin system allows attackers to bypass authentication and achieve RCE by forcing an administrator's browser to silently upload a malicious ZIP archive containing a web shell.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-352 (Cross-Site Request Forgery)
  • Attack Vector: Network
  • CVSS v3.1: 8.8 (High)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • WWBN AVideo <= 26.0
  • WWBN AVideo: <= 26.0 (Fixed in: Latest (post-26.0 commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3))

Code Analysis

Commit: d1bc169

Implemented allowOrigin() and verifyToken() to fix CSRF vulnerability in pluginImport.json.php

Exploit Details

  • Context Research: Proof of concept code demonstrating malicious ZIP structure and fetch payload leveraging SameSite=None session cookies.

Mitigation Strategies

  • Apply the official vendor patch ensuring CSRF tokens are validated on file upload endpoints.
  • Reconfigure the session cookie to utilize 'SameSite=Lax' or 'SameSite=Strict' attributes.
  • Implement Web Application Firewall (WAF) rules to validate Origin/Referer headers on state-changing requests.
  • Restrict access to the administrative interfaces to trusted IP addresses or VPN subnets.

Remediation Steps:

  1. Download the latest stable release of WWBN AVideo or apply commit d1bc1695edd9ad4468a48cea0df6cd943a2635f3.
  2. Verify that objects/pluginImport.json.php contains the allowOrigin() and verifyToken() function calls.
  3. Update objects/include_config.php to set session.cookie_samesite to 'Lax'.
  4. Restart the web server to ensure all session configuration changes take effect.
  5. Audit the plugin/ directory for any unauthorized or unrecognized files that may indicate a previous compromise.

References

Read the full report for CVE-2026-33507 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)