CVE-2026-33296 — Open Redirect in Avideo

CWE-601 — Open Redirect4 documents4 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 91.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 19

PublishedMar 22

Description

WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDwwbn/avideo< 26.0

▶Packagistwwbn/avideo25.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php↗2026-03-19

▶

OSV

AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php↗2026-03-19

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33296 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶