CVE-2026-33043 — Permissive Cross-domain Security Policy with Untrusted Domains in Avideo

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.0%

top 90.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 17

PublishedMar 20

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo25.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS↗2026-03-17

▶

OSV

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33043 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶