{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33043", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.211Z", "datePublished": "2026-03-20T05:52:59.412Z", "dateUpdated": "2026-03-20T05:52:59.412Z"}, "containers": {"cna": {"title": "AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"}, {"name": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:52:59.412Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-qc3p-398r-p59j", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0."}], "id": "CVE-2026-33043", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.670", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"}, {"source": "security-advisories@github.com", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-20T07:51:17.210469+00:00", "value": {"mitigation_remediation": ["Upgrade to AVideo 26.0 or later"], "summary": {"action": "Patch", "impact": "Unauthorized Account Takeover via Session Hijacking"}, "threat_synthesis": {"affected_systems": "The affected product is WWBN AVideo, versions 25.0 and earlier. The issue was resolved in version 26.0 and no other vendors or product variants are listed in the provided data.", "description_and_impact": "An unauthenticated endpoint in WWBN AVideo (path /objects/phpsessionid.json.php) exposes the current PHP session ID to any caller. The allowOrigin() function blindly reflects the Origin header back in Access\u2011Control\u2011Allow\u2011Origin with Access\u2011Control\u2011Allow\u2011Credentials set to true, enabling cross\u2011origin request forgery. This combination permits an attacker to steal a victim\u2019s session cookie from the browser and use it to authenticate as that user, leading to full account takeover and compromising confidentiality and integrity of the affected user\u2019s data.", "risk_and_exploitability": "The CVSS v3 score of 8.1 indicates high severity. The exploit probability score (EPSS) is not available, and the vulnerability is not listed in the CISA KEV catalog, so exploit prevalence information is lacking. Based on the description, the likely attack vector is a network\u2011based request to the exposed endpoint, typically via a malicious web page that targets the permissive CORS configuration. If an attacker can direct a victim\u2019s browser to the vulnerable endpoint or craft a cross\u2011origin request, the session token can be retrieved and used to impersonate the victim, resulting in significant risk for any deployment of the affected AVideo versions."}}}}, "created": "2026-03-20T08:52:22.341256+00:00", "updated": "2026-03-20T10:37:03.595075+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}