Email Spoofing Vulnerability in WWBN AVideo Open Source Video Platform
CVE-2026-43880

5.3MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-43880?

The AVideo platform, a widely used open source video solution, exhibits a significant vulnerability in its handling of email functions. In versions up to 29.0, a flaw in the objects/sendEmail.json.php endpoint permits unauthenticated users to send emails from the site's address without authentication. An attacker can exploit this by simply omitting the contactForm parameter, allowing them to set the email recipient to any address they choose. This could enable malicious actors to use the site's legitimate sender address to conduct phishing attempts and deceive users, as the emails would appear to originate from the site itself. To defend against such attacks, it is crucial for users to upgrade to the patched version referenced in commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-5...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/4e3709895857a5857f0...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43880 Data

JSON

Wwbn

What is CVE-2026-43880?

Affected Version(s)

References

CVSS V3.1

Timeline