cbcvebase.
CVE-2026-33716
published 2026-03-23

CVE-2026-33716: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at…

PriorityP260critical9.4CVSS 3.1
AVNACLPRNUINSUCLIHAH
EPSS
0.44%
35.0th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
wwbnavideo<= 26.0
wwbnavideo0 – 26.0

Detection & IOCsextracted from sources · hover to see the quote

pathplugin/Live/standAloneFiles/control.json.php
otherstreamerURL
hash388fcd57dbd16f6cb3ebcdf1d08cf2b929941128
  • Monitor HTTP requests to `plugin/Live/standAloneFiles/control.json.php` that include a `streamerURL` parameter pointing to an external or unexpected host — this is the SSRF/auth-bypass vector.
  • Alert on unauthenticated requests to `control.json.php` — successful exploitation grants unauthenticated control over live streams including dropping publishers and starting/stopping recordings.
  • Look for outbound server-side HTTP requests originating from the AVideo host to attacker-controlled endpoints returning `{"error": false}` as a token verification bypass response.
  • ·The vulnerability affects WWBN AVideo versions up to and including 26.0. Installations at or below this version with the Live plugin enabled are exposed.
  • ·The vulnerable endpoint is part of the Live plugin's standalone files; deployments without the Live plugin active may not expose this attack surface.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.