CVE-2026-33507: AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

March 20, 2026

The objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting session.cookie_samesite = 'None' for HTTPS connections, an unauthenticated attacker can craft a page that, when visited by an authenticated admin, silently uploads a malicious plugin containing a PHP webshell, achieving Remote Code Execution on the server.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-hv36-p4w4-6vmj
github.com/advisories/GHSA-hv36-p4w4-6vmj
nvd.nist.gov/vuln/detail/CVE-2026-33507

Code Behaviors & Features

Detect and mitigate CVE-2026-33507 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →