CVE-2026-33043
Published: 20 March 2026
Summary
CVE-2026-33043 is a high-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Limits and authorizes specific actions performable without identification or authentication, preventing unauthenticated exposure of the PHP session ID via the /objects/phpsessionid.json.php endpoint.
Enforces cross-domain policies to block reflection of arbitrary Origin headers in Access-Control-Allow-Origin with Access-Control-Allow-Credentials true, mitigating cross-origin session theft.
Restricts access to and protects non-public information like session IDs within publicly accessible content on the video platform.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables cross-origin theft of PHP session ID via permissive CORS (ACAO reflection + credentials), facilitating browser session hijacking (T1185), stealing of web session identifiers (T1539), and subsequent use of stolen session material for authentication (T1550.004).
NVD Description
WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session…
more
theft and full account takeover. This issue has been fixed in version 26.0.
Deeper analysisAI
CVE-2026-33043 is a vulnerability in WWBN AVideo, an open source video platform, affecting versions 25.0 and below. The issue resides in the /objects/phpsessionid.json.php endpoint, which exposes the current PHP session ID to any unauthenticated request. Compounding this, the allowOrigin() function blindly reflects any supplied Origin header in the Access-Control-Allow-Origin response header while including Access-Control-Allow-Credentials: true, which permits cross-origin session theft. The vulnerability is rated 8.1 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).
An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity, though it requires user interaction. By hosting a malicious webpage on a different origin and tricking a logged-in victim into visiting it or triggering a cross-origin request, the attacker can read the exposed session ID via JavaScript. This enables full session hijacking and account takeover, granting high-impact access to the victim's confidentiality and integrity without affecting availability.
The vulnerability has been addressed in AVideo version 26.0. Mitigation details are available in the fixing commit at https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930 and the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j.
Details
- CWE(s)