CVE-2026-33479
- Source
- https://cve.org/CVERecord?id=CVE-2026-33479
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33479.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33479
- Aliases
- Published
- 2026-03-23T14:05:55.725Z
- Modified
- 2026-04-10T05:42:48.450230Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin
- Details
-
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's
saveSort.json.phpendpoint passes unsanitized user input from$_REQUEST['sections']array values directly into PHP'seval()function. While the endpoint is gated behindUser::isAdmin(), it has no CSRF token validation. Combined with AVideo's explicitSameSite=Nonesession cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page. Commit 087dab8841f8bdb54be184105ef19b47c5698fcb contains a patch. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33479.json", "cwe_ids": [ "CWE-94" ], "cna_assigner": "GitHub_M" }- References