CVE-2026-33296

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/WWBN/AVideo/commit/68d0fbb19e382fe62e6cc7bd48b51ffa1d9e310e	Patch
https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw	Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

History

24 Mar 2026, 17:52

Type	Values Removed	Values Added
First Time		Wwbn Wwbn avideo
References	~~() https://github.com/WWBN/AVideo/commit/68d0fbb19e382fe62e6cc7bd48b51ffa1d9e310e -~~	() https://github.com/WWBN/AVideo/commit/68d0fbb19e382fe62e6cc7bd48b51ffa1d9e310e - Patch
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
Summary		(es) WWBN AVideo es una plataforma de video de código abierto. Antes de la versión 26.0, WWBN/AVideo contiene una vulnerabilidad de redirección abierta en el flujo de inicio de sesión donde un parámetro redirectUri proporcionado por el usuario se refleja directamente en una asignación de JavaScript 'document.location' sin codificación segura para JavaScript. Después de que un usuario completa el flujo de inicio de sesión emergente, una devolución de llamada de temporizador ejecuta la redirección utilizando el valor no validado, enviando a la víctima a un sitio controlado por el atacante. La versión 26.0 corrige el problema.
CPE		cpe:2.3:a:wwbn:avideo::::::::

23 Mar 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw -~~	() https://github.com/WWBN/AVideo/security/advisories/GHSA-hj5h-5623-gwhw -

22 Mar 2026, 17:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-22 17:17

Updated : 2026-03-24 17:52

NVD link : CVE-2026-33296

Mitre link : CVE-2026-33296

CVE.ORG link : CVE-2026-33296

JSON object : View

Products Affected

wwbn

avideo

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

6.1 /10