CVE-2016-20035
published 2026-03-16CVE-2016-20035: Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious…
PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.16%
5.1th percentile
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wowza | streaming_engine | — | — |
| wowza_media_systems_llc | wowza_streaming_engine | — | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2016-20034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2016-20034 [HIGH] CVE-2016-20034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2016-20034 :
Wowza Streaming Engine vulnerability analysis and mitigation
Wowza Streaming Engine 4.5.0 contains a privilege escalation vulnerability that allows authenticated read-only users to elevate privileges to administrator by manipulating POST parameters. Attackers can send POST requests to the user edit endpoint with accessLevel set to 'admin' and advUser parameters set to 'true' and 'on' to gain administrative access.
Source : NVD
## 8.7
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Wowza Streaming Engine
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:
Wiz
CVE-2016-20036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2016-20036 [HIGH] CVE-2016-20036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2016-20036 :
Wowza Streaming Engine vulnerability analysis and mitigation
Wowza Streaming Engine 4.5.0 contains multiple reflected cross-site scripting vulnerabilities in the enginemanager interface where input passed through various parameters is not properly sanitized before being returned to users. Attackers can inject malicious script code through parameters like appName, vhost, uiAppType, and wowzaCloudDestinationType in multiple endpoints to execute arbitrary HTML and JavaScript in a user's browser session.
Source : NVD
## 5.1
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Wowza Streaming Engine
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2016-20033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2016-20033 [HIGH] CVE-2016-20033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2016-20033 :
Wowza Streaming Engine vulnerability analysis and mitigation
Wowza Streaming Engine 4.5.0 contains a local privilege escalation vulnerability that allows authenticated users to escalate privileges by replacing executable files due to improper file permissions granting full access to the Everyone group. Attackers can replace the nssm_x64.exe binary in the manager and engine service directories with malicious executables to execute code with LocalSystem privileges when services restart.
Source : NVD
## 8.5
Score
Published March 16, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
Wowza Streaming Engine
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploi
Wiz
CVE-2016-20035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2016-20035 [HIGH] CVE-2016-20035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2016-20035 :
Wowza Streaming Engine vulnerability analysis and mitigation
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Source : NVD
## 6.9
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Wowza Streaming Engine
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.
2026-03-16
Published