CVE-2026-33492 — Session Fixation in Avideo

CWE-384 — Session Fixation4 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 77.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 20

PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 2.1 | Impact: 5.2

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration↗2026-03-20

▶

OSV

AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33492 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶