CVE-2026-33479

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSR...

CVE-2026-33479

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSR...

CVE-2026-33479

CVE-2026-33479 affects WWBN AVideo (Gallery plugin, saveSort.json.php) where unsanitized values from $_REQUEST['sections'] are fed into eval(), enabling PHP code execution via CSRF against an admin session. The issue exists up to version 26.0; a patch in commit 087dab8841f8bdb54be184105ef19b47c56...

Arbitrary Code Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary Code Injection via the saveSort.json.php endpoint. An attacker can execute arbitrary PHP code on the server by luring an authenticated admin to visit a...

PT-2026-26766

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $ REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...