Cross-Site Request Forgery Vulnerability in AVideo Open Source Platform
CVE-2026-45610

5.7MEDIUM

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45610?

AVideo, an open-source video platform, has a vulnerability that allows an attacker to exploit cross-site request forgery on the 2FA toggle functionality. In versions 29.0 and earlier, the plugin/loginControl/set.json.php endpoint permits certain POST requests without validating the origin, enabling unauthorized changes to user settings. Specifically, an attacker can remotely disable two-factor authentication for a logged-in user through a crafted cross-origin request. This occurs due to the lack of security checks like token validation and re-authentication, raising significant concerns for user account protection.

Affected Version(s)

AVideo <= 29.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-3...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45610 Data

JSON

Wwbn

What is CVE-2026-45610?

Affected Version(s)

References

CVSS V3.1

Timeline