CVE-2026-33043

High CVSS: 8.1

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

Vendor

Wwbn

Product

Avideo

CWE

CWE-942

Yayın Tarihi

2026-03-20 06:16:12

Güncelleme

2026-03-23 15:28:09

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-942 Avideo HIGH Wwbn 2026

Referanslar

https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j

Benzer Kayıtlar

Medium

CVE-2026-34733

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo installation script install/deleteS…

Medium

CVE-2026-34737

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug…

Medium

CVE-2026-34738

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's video processing pipeline accepts an…

Medium

CVE-2026-34739

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the User_Location plugin's testIP.php page ref…

Medium

CVE-2026-34740

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the EPG (Electronic Program Guide) link featur…

Medium

CVE-2026-34611

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json…