CVE-2026-33492
published 2026-03-23CVE-2026-33492: WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the…
PriorityP345high7.3CVSS 3.1
AVNACLPRLUIRSUCHIHAN
EPSS
0.30%
21.2th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
ghsa·2026-03-20
CVE-2026-33492 [HIGH] CWE-384 AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
## Summary
AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session.
## Details
The vulnerability is a chain of three weaknesses that together enable session fixation:
### 1. Attacker-controlled session ID acceptance (`objects/functionsPHP.php:344-367`)
OSV
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
osv·2026-03-20
CVE-2026-33492 [HIGH] AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
## Summary
AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session.
## Details
The vulnerability is a chain of three weaknesses that together enable session fixation:
### 1. Attacker-controlled session ID acceptance (`objects/functionsPHP.php:344-367`)
No detection rules found.
No public exploits indexed.
2026-03-23
Published