{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35180", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-06T19:06:46.447Z", "dateUpdated": "2026-04-07T14:44:34.133Z"}, "containers": {"cna": {"title": "WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:06:46.447Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content."}], "source": {"advisory": "GHSA-5572-2jgx-fc7c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:42:18.690559Z", "id": "CVE-2026-35180", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:44:34.133Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write", "source": {"advisory": "GHSA-5572-2jgx-fc7c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T19:06:46.447Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35180", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T14:42:18.690559Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-07T14:44:30.328Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-35180", "state": "PUBLISHED", "dateUpdated": "2026-04-06T19:06:46.447Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-06T19:06:46.447Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customize_settings_nativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with SameSite=None cookie policy, a cross-origin POST can overwrite the platform's logo with attacker-controlled content."}], "id": "CVE-2026-35180", "lastModified": "2026-04-07T13:20:11.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T20:16:26.237", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-5572-2jgx-fc7c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-07T01:39:55.108897+00:00", "value": {"mitigation_remediation": ["Upgrade to a version of WWBN AVideo newer than 26.0 that includes CSRF validation and corrected file handling. ", "Implement CSRF token checks on the '/admin/customize_settings_nativeUpdate.json.php' endpoint if an upgrade is not yet possible. ", "Adjust the platform\u2019s session cookie attributes to use SameSite=Lax or SameSite=Strict, reducing the risk of cross\u2011origin POSTs. ", "Audit and monitor the logo file location for unauthorized changes to detect potential tampering. ", "Apply any vendor\u2011provided security patches as they become available to eliminate the underlying flaw."], "summary": {"action": "Patch", "impact": "Defacement via logo overwrite"}, "threat_synthesis": {"affected_systems": "The affected product is the WWBN AVideo platform. Versions 26.0 and earlier contain the unchecked CSRF logic and the insecure file write routine. No patch version is listed in the advisory, but upgrading to a build newer than 26.0 removes the flaw.", "description_and_impact": "The vulnerability appears in the site customization endpoint of versions 26.0 and earlier of the WWBN AVideo video platform. The endpoint lacks CSRF token validation and writes uploaded logo files to disk before the ORM\u2019s domain\u2011based security check runs. Because the platform uses a SameSite=None cookie policy, a cross\u2011origin POST request can be constructed to trigger the logo upload. The resulting defect allows an attacker to replace the platform\u2019s logo with arbitrary content, effectively defacing the website\u2019s appearance. This weakness corresponds to CWE-352, the Cross\u2011Site Request Forgery flaw.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a low severity from a pure technical standpoint, but the potential for brand defacement and the ease of exploitation via a cross\u2011origin POST make it a security nuisance that should be addressed promptly. EPSS data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is a remote user crafting a cross\u2011origin HTTP request that exploits the missing CSRF token and the lax SameSite cookie setting. No additional prerequisites beyond normal web interaction are required, meaning the risk is that any visitor with access to the 'admin/customize_settings_nativeUpdate.json.php' endpoint could trigger the logo overwrite. The absence of a requirement for elevated privileges further lowers the barrier to exploitation."}}}}, "created": "2026-04-07T06:54:32.704639+00:00", "updated": "2026-04-07T09:37:35.391479+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}