CVE-2026-33716Improper Authentication in Avideo

CWE-287Improper Authentication4 documents4 sources
Severity
9.4CRITICALNVD
EPSS
0.1%
top 74.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Wwbn Avideo
Timeline
PublishedMar 23
Latest updateMar 25

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on t

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:HExploitability: 3.9 | Impact: 5.5

Affected Packages2 packages

NVDwwbn/avideo26.0
Packagistwwbn/avideo26.0

Patches

Patch: github.com

🔴Vulnerability Details

2
GHSA
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php2026-03-25
OSV
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php2026-03-25

🕵️Threat Intelligence

1
Wiz
CVE-2026-33716 Impact, Exploitability, and Mitigation Steps | Wiz