CVE-2026-33479

{"id": "CVE-2026-33479", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-03-23T15:16:34.220", "references": [{"url": "https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`, it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution \u2014 requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el plugin Gallery, en su endpoint 'saveSort.json.php', pasa entrada de usuario no saneada de los valores del array '$_REQUEST['sections']' directamente a la funci\u00f3n 'eval()' de PHP. Aunque el endpoint est\u00e1 protegido por `User::isAdmin()`, no tiene validaci\u00f3n de token CSRF. Combinado con la configuraci\u00f3n expl\u00edcita de la cookie de sesi\u00f3n `SameSite=None` de AVideo, un atacante puede explotar esto mediante falsificaci\u00f3n de petici\u00f3n en sitios cruzados para lograr ejecuci\u00f3n remota de c\u00f3digo no autenticada \u2014 requiriendo solo que un administrador visite una p\u00e1gina controlada por el atacante. El commit 087dab8841f8bdb54be184105ef19b47c5698fcb contiene un parche."}], "lastModified": "2026-03-24T18:48:38.257", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}