CVE-2026-43880

May 12, 2026, 2:50 p.m.

5.3
Medium

Description

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The endpoint is explicitly allow-listed as a "public write action" in objects/functionsSecurity.php (line 885), so it requires no authentication or CSRF token. An unauthenticated attacker (solving a captcha) can force the site's own SMTP infrastructure to send attacker-composed emails to arbitrary recipients with the site's legitimate sender address, passing SPF/DKIM/DMARC for the site's domain — ideal for targeted phishing and brand impersonation. Commit 4e3709895857a5857f0edb46b0ee984de0d9e1a2 contains an updated fix.

Product(s) Impacted

Vendor Product Versions
Wwbn
  • Avideo
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-940
Improper Verification of Source of a Communication Channel
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wwbn avideo / / / / / / / /

References

https://github.com/WWBN/AVideo/commit/4e3709895857a5857f0edb46b0ee984de0d9e1a2
https://github.com/WWBN/AVideo/security/advisories/GHSA-5hgj-7gm9-cff5
https://github.com/WWBN/AVideo/security/advisories/GHSA-5hgj-7gm9-cff5

Tags

[email protected]
CWE-940
2026-05-11
CVE-2026-43880

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: May 11, 2026, 10:22 p.m.
Last Modified: May 12, 2026, 2:50 p.m.

Status : Deferred

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.