High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 25, 2026
AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS
CVE-2026-33043
Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 25.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qc3p-398r-p59jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33043ghsaADVISORY
- github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930ghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.