CVE-2026-33492
Published: 23 March 2026
Summary
CVE-2026-33492 is a high-severity Session Fixation (CWE-384) vulnerability in Wwbn Avideo. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms to protect communications session authenticity, explicitly including prevention of session fixation attacks like arbitrary PHPSESSID acceptance and hijacking in this CVE.
IA-5 mandates proper management of authenticators including session identifiers, requiring regeneration or refresh to counter the disabled session regeneration during User::login() in this CVE.
SI-10 enforces validation of information inputs such as the PHPSESSID GET parameter, mitigating arbitrary session ID injection from untrusted sources exploited in this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables session fixation in public web app (T1190), allows attacker to use predetermined web session cookie for hijack post-login (T1550.004), and requires delivery of malicious URL with fixed PHPSESSID typically via spearphishing link (T1566.002).
NVD Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists…
more
for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch.
Deeper analysisAI
CVE-2026-33492 is a session fixation vulnerability in WWBN AVideo, an open source video platform. The issue affects versions up to and including 26.0, where the `_session_start()` function accepts arbitrary session IDs supplied via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when requests originate from the same domain, and session regeneration is explicitly disabled in the `User::login()` function. This combination enables a classic session fixation attack, classified under CWE-384 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability by tricking a victim into visiting a malicious URL containing a predetermined `PHPSESSID` value, fixing the victim's session ID prior to authentication. Once the victim logs in, the attacker can reuse the same session ID to hijack the authenticated session, potentially accessing sensitive user data and performing actions on the victim's behalf. Exploitation requires low privileges (PR:L), user interaction (UI:R) such as clicking a link, and network access, but no high privileges or special conditions beyond same-domain requests for the bypass.
The GitHub security advisory (GHSA-x3pr-vrhq-vq43) and patch commit 5647a94d79bf69a972a86653fe02144079948785 detail the fix, which addresses the arbitrary session acceptance and regeneration issues. Security practitioners should update to a patched version beyond 26.0 and review session handling configurations to prevent similar fixation risks.
Details
- CWE(s)