2 matches found
CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators
WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...
CVE-2026-40929
creationtimestamp| type| source ---|---|--- 2026-04-13 13:48:53+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-8qm8-g55h-xmqr...