CVE-2026-33479

HighPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's `saveSort.json.php` endpoint passes unsanitized user input from `$_REQUEST['sections']` array values directly into PHP's `eval()` function. While the endpoint is gated behind `User::isAdmin()`,…

it has no CSRF token validation. Combined with AVideo's explicit `SameSite=None` session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents code injection by requiring validation and sanitization of unsanitized user input from $_REQUEST['sections'] before passing to PHP's eval() function.

SI-2 Flaw Remediation good match

prevent

Ensures timely application of the patch (commit 087dab8841f8bdb54be184105ef19b47c5698fcb) that sanitizes input, comprehensively remediating the specific flaw.

SC-23 Session Authenticity good match

prevent

Mitigates CSRF exploitation of the admin-only endpoint lacking token validation by enforcing session authenticity mechanisms like CSRF tokens, blocking forged requests via SameSite=None cookies.

Security SummaryAI

CVE-2026-33479 affects WWBN AVideo, an open source video platform, in versions up to and including 26.0. The vulnerability resides in the Gallery plugin's `saveSort.json.php` endpoint, which passes unsanitized user input from the `$_REQUEST['sections']` array values directly into PHP's `eval()` function, enabling code injection (CWE-94). The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H), indicating high severity due to its potential for significant impact.

An attacker can exploit this vulnerability via cross-site request forgery (CSRF), as the endpoint is protected only by `User::isAdmin()` authentication with no CSRF token validation. AVideo's explicit `SameSite=None` configuration on session cookies allows an attacker's malicious page to forge a request from an authenticated admin's browser when the admin visits the attacker-controlled site. This results in unauthenticated remote code execution on the server.

The GitHub security advisory (GHSA-xggw-g9pm-9qhh) and patch commit (087dab8841f8bdb54be184105ef19b47c5698fcb) detail the fix, which sanitizes the input before evaluation to prevent code injection. Security practitioners should update to a patched version beyond 26.0 and consider implementing CSRF protections on admin endpoints as a general best practice.

Details

CWE(s): CWE-94

Affected Products

wwbn

avideo

≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a code injection flaw in a public-facing web application's admin endpoint, exploitable via CSRF for unauthenticated RCE, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0