Cyber Resilience

CVE-2026-33716

CriticalPublic PoC

Published: 23 March 2026

Published
23 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0044 34.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33716 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wwbn Avideo. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33716 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. Affecting versions up to and including 26.0, the issue resides in the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php`. This endpoint accepts a user-supplied `streamerURL` parameter that overrides the destination for token verification requests, enabling attackers to redirect these requests to a malicious server.

Any unauthenticated attacker with network access can exploit this vulnerability by controlling a server that responds to verification requests with `{"error": false}`, fully bypassing authentication checks. Successful exploitation grants complete control over any live stream on the platform, allowing actions such as dropping active publishers, starting or stopping recordings, and probing for stream existence. The vulnerability has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

The GitHub security advisory (GHSA-9hv9-gvwm-95f2) and commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 detail the patch, which addresses the insecure handling of the `streamerURL` parameter to prevent unauthorized overrides and ensure proper token verification. Security practitioners should update to a patched version beyond 26.0 and review configurations for exposed live stream endpoints.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can…

more

redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web endpoint (control.json.php) that unauthenticated remote attackers can exploit to gain control over live streams, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33292Same product: Wwbn Avideo
CVE-2026-33479Same product: Wwbn Avideo
CVE-2026-33767Same product: Wwbn Avideo
CVE-2026-33770Same product: Wwbn Avideo
CVE-2026-33038Same product: Wwbn Avideo
CVE-2026-40925Same product: Wwbn Avideo
CVE-2026-28501Same product: Wwbn Avideo
CVE-2025-48732Same product: Wwbn Avideo
CVE-2026-41055Same product: Wwbn Avideo
CVE-2026-29093Same product: Wwbn Avideo

Affected Assets

wwbn
avideo
≤ 26.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates the user-supplied `streamerURL` parameter to prevent attackers from redirecting token verification requests to malicious servers that bypass authentication.

prevent

Remediates the authentication bypass flaw by timely applying the vendor patch that secures handling of the `streamerURL` parameter.

prevent

Enforces logical access controls on the live stream control endpoint to restrict unauthorized actions like dropping publishers or manipulating recordings.

References