CVE-2026-33043

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33043
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
History

23 Mar 2026, 15:28

Type Values Removed Values Added
Summary
  • (es) WWBN AVideo es una plataforma de video de código abierto. En las versiones 25.0 e inferiores, /objects/phpsessionid.json.php expone el ID de sesión PHP actual a cualquier solicitud no autenticada. La función allowOrigin() refleja cualquier encabezado Origin de vuelta en Access-Control-Allow-Origin con Access-Control-Allow-Credentials: true, lo que permite el robo de sesión de origen cruzado y la toma de control total de la cuenta. Este problema ha sido solucionado en la versión 26.0.
References () https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 - () https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 - Patch
References () https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j - () https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j - Exploit, Vendor Advisory
CPE cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
First Time Wwbn
Wwbn avideo

20 Mar 2026, 06:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 06:16

Updated : 2026-03-23 15:28

NVD link : CVE-2026-33043

Mitre link : CVE-2026-33043

CVE.ORG link : CVE-2026-33043

JSON object : View

Products Affected

wwbn

  • avideo
CWE
CWE-942

Permissive Cross-domain Policy with Untrusted Domains