Cyber Resilience

CVE-2026-33492

HighPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0010 27.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33492 is a high-severity Session Fixation (CWE-384) vulnerability in Wwbn Avideo. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2026-33492 is a session fixation vulnerability in WWBN AVideo, an open source video platform. The issue affects versions up to and including 26.0, where the `_session_start()` function accepts arbitrary session IDs supplied via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when requests originate from the same domain, and session regeneration is explicitly disabled in the `User::login()` function. This combination enables a classic session fixation attack, classified under CWE-384 with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An attacker can exploit this vulnerability by tricking a victim into visiting a malicious URL containing a predetermined `PHPSESSID` value, fixing the victim's session ID prior to authentication. Once the victim logs in, the attacker can reuse the same session ID to hijack the authenticated session, potentially accessing sensitive user data and performing actions on the victim's behalf. Exploitation requires low privileges (PR:L), user interaction (UI:R) such as clicking a link, and network access, but no high privileges or special conditions beyond same-domain requests for the bypass.

The GitHub security advisory (GHSA-x3pr-vrhq-vq43) and patch commit 5647a94d79bf69a972a86653fe02144079948785 detail the fix, which addresses the arbitrary session acceptance and regeneration issues. Security practitioners should update to a patched version beyond 26.0 and review session handling configurations to prevent similar fixation risks.

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists…

more

for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.004 Web Session Cookie Lateral Movement
Adversaries can use stolen session cookies to authenticate to web applications and services.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CVE enables session fixation in public web app (T1190), allows attacker to use predetermined web session cookie for hijack post-login (T1550.004), and requires delivery of malicious URL with fixed PHPSESSID typically via spearphishing link (T1566.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34394Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-41057Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-34733Same product: Wwbn Avideo
CVE-2025-48732Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo
CVE-2026-33292Same product: Wwbn Avideo
CVE-2025-25214Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms to protect communications session authenticity, explicitly including prevention of session fixation attacks like arbitrary PHPSESSID acceptance and hijacking in this CVE.

prevent

IA-5 mandates proper management of authenticators including session identifiers, requiring regeneration or refresh to counter the disabled session regeneration during User::login() in this CVE.

prevent

SI-10 enforces validation of information inputs such as the PHPSESSID GET parameter, mitigating arbitrary session ID injection from untrusted sources exploited in this CVE.

References