CVE-2026-33716
published 2026-03-23CVE-2026-33716: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at…
PriorityP260critical9.4CVSS 3.1
AVNACLPRNUINSUCLIHAH
EPSS
0.44%
35.0th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to `plugin/Live/standAloneFiles/control.json.php` that include a `streamerURL` parameter pointing to an external or unexpected host — this is the SSRF/auth-bypass vector. ↗
- →Alert on unauthenticated requests to `control.json.php` — successful exploitation grants unauthenticated control over live streams including dropping publishers and starting/stopping recordings. ↗
- →Look for outbound server-side HTTP requests originating from the AVideo host to attacker-controlled endpoints returning `{"error": false}` as a token verification bypass response. ↗
- ·The vulnerability affects WWBN AVideo versions up to and including 26.0. Installations at or below this version with the Live plugin enabled are exposed. ↗
- ·The vulnerable endpoint is part of the Live plugin's standalone files; deployments without the Live plugin active may not expose this attack surface. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
ghsa·2026-03-25
CVE-2026-33716 [CRITICAL] CWE-287 AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
## Summary
The standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.
## Details
The vulnerability exists because the `streamerURL` parameter is accepted directly from user input with no validation:
**`plugin/Live/standAl
OSV
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
osv·2026-03-25
CVE-2026-33716 [CRITICAL] AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
## Summary
The standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.
## Details
The vulnerability exists because the `streamerURL` parameter is accepted directly from user input with no validation:
**`plugin/Live/standAl
No detection rules found.
No public exploits indexed.
2026-03-23
Published