CVE-2026-33479: AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

March 20, 2026 (updated March 25, 2026)

The Gallery plugin’s saveSort.json.php endpoint passes unsanitized user input from $_REQUEST['sections'] array values directly into PHP’s eval() function. While the endpoint is gated behind User::isAdmin(), it has no CSRF token validation. Combined with AVideo’s explicit SameSite=None session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution — requiring only that an admin visits an attacker-controlled page.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/087dab8841f8bdb54be184105ef19b47c5698fcb
github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh
github.com/advisories/GHSA-xggw-g9pm-9qhh
nvd.nist.gov/vuln/detail/CVE-2026-33479

Code Behaviors & Features

Detect and mitigate CVE-2026-33479 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →