CVE-2026-41056

HighPublic PoC

Published: 21 April 2026

Published

21 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0006 17.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41056 is a high-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Wwbn Avideo. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-46 Cross Domain Policy Enforcement good match

prevent

Enforces cross-domain policies to control information flow between trusted and untrusted origins, directly preventing unauthorized credentialed access to sensitive APIs via misconfigured CORS.

AC-4 Information Flow Enforcement good match

prevent

Mediates information flows based on approved policies, restricting API responses to only authorized origins and blocking reflection of arbitrary Origin headers.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings for web applications, ensuring Access-Control-Allow-Origin is restricted to trusted domains rather than allowing all with credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The CORS misconfiguration in public-facing API endpoints directly enables exploitation of the web application to perform unauthorized credentialed cross-origin requests for data access and state changes.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` —…

the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

Deeper analysisAI

CVE-2026-41056 is a cross-origin resource sharing (CORS) misconfiguration vulnerability affecting WWBN AVideo, an open source video platform, in versions 29.0 and below. The issue resides in the `allowOrigin($allowAll=true)` function within `objects/functions.php`, which indiscriminately reflects any arbitrary `Origin` header value back in the `Access-Control-Allow-Origin` response header while also setting `Access-Control-Allow-Credentials: true`. This function is invoked by key API endpoints, including `plugin/API/get.json.php` and `plugin/API/set.json.php`, which manage user data retrieval, authentication, livestream credentials, and state-changing operations. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains).

An attacker can exploit this vulnerability by hosting a malicious website that tricks an authenticated user into visiting it, leveraging the application's `SameSite=None` session cookie policy. This enables the attacker's site to perform credentialed cross-origin requests to the AVideo instance, reading sensitive authenticated API responses. Potential impacts include theft of user personally identifiable information (PII), livestream keys, and execution of state-changing operations on behalf of the victim, such as modifying user data or other administrative actions.

Mitigation is available via a patch in commit caf705f38eae0ccfac4c3af1587781355d24495e on the WWBN/AVideo GitHub repository. The GitHub Security Advisory GHSA-ccq9-r5cw-5hwq provides further details on the issue and recommends upgrading to a patched version to enforce proper origin validation and restrict cross-origin access.

Details

CWE(s): CWE-942

Affected Products

wwbn

avideo

≤ 29.0

CVEs Like This One

CVE-2026-41057Same product: Wwbn Avideo

CVE-2026-41055Same product: Wwbn Avideo

CVE-2025-48732Same product: Wwbn Avideo

CVE-2025-25214Same product: Wwbn Avideo

CVE-2026-34733Same product: Wwbn Avideo

CVE-2026-33292Same product: Wwbn Avideo

CVE-2026-28501Same product: Wwbn Avideo

CVE-2026-33513Same product: Wwbn Avideo

CVE-2026-33770Same product: Wwbn Avideo

CVE-2026-33038Same product: Wwbn Avideo

References

https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq
Exploit, Mitigation, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0