{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33043", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.211Z", "datePublished": "2026-03-20T05:52:59.412Z", "dateUpdated": "2026-03-25T13:55:29.106Z"}, "containers": {"cna": {"title": "AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"}, {"name": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "< 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:52:59.412Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0."}], "source": {"advisory": "GHSA-qc3p-398r-p59j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:54:38.514863Z", "id": "CVE-2026-33043", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:55:29.106Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33043", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:54:38.514863Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:55:19.244Z"}}], "cna": {"title": "AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS", "source": {"advisory": "GHSA-qc3p-398r-p59j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "< 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930", "name": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:52:59.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33043", "state": "PUBLISHED", "dateUpdated": "2026-03-25T13:55:29.106Z", "dateReserved": "2026-03-17T18:10:50.211Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T05:52:59.412Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "B468F0CE-E5E7-4607-BD15-B5763C47493E", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En las versiones 25.0 e inferiores, /objects/phpsessionid.json.php expone el ID de sesi\u00f3n PHP actual a cualquier solicitud no autenticada. La funci\u00f3n allowOrigin() refleja cualquier encabezado Origin de vuelta en Access-Control-Allow-Origin con Access-Control-Allow-Credentials: true, lo que permite el robo de sesi\u00f3n de origen cruzado y la toma de control total de la cuenta. Este problema ha sido solucionado en la versi\u00f3n 26.0."}], "id": "CVE-2026-33043", "lastModified": "2026-03-23T15:28:09.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-23T16:53:28.826238+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to version\u00a026.0 or later to eliminate the vulnerable endpoint and correct CORS handling.", "If an upgrade is not immediately possible, configure the web server to block unauthenticated requests to /objects/phpsessionid.json.php or restrict that endpoint to trusted origins.", "Modify the CORS policy so that Access\u2011Control\u2011Allow\u2011Origin is set to a predefined whitelist rather than reflecting the request header.", "Monitor logs for unexpected Cross\u2011Origin requests that include session identifiers and investigate any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011origin session theft leading to account takeover"}, "threat_synthesis": {"affected_systems": "The flaw exists in the WWBN AVideo platform in all releases up to and including version 25.0. Any deployment of these affected releases, regardless of hosting environment, is susceptible as long as the /objects/phpsessionid.json.php endpoint remains publicly reachable.", "description_and_impact": "Unprivileged users can obtain the current PHP session ID for any visitor by sending an unauthenticated request to /objects/phpsessionid.json.php. The endpoint echoes the requested Origin header in the Access\u2011Control\u2011Allow\u2011Origin response and sets Access\u2011Control\u2011Allow\u2011Credentials to true, which allows a malicious site to send credentials across origins. The combination of an exposed session identifier and permissive CORS lets an attacker hijack a session and impersonate the account that owns that session, resulting in a full compromise of user credentials.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this vulnerability as High severity. The EPSS rating of <1% indicates that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs network access to the server, can send an unauthenticated HTTP request to the vulnerable endpoint, and can supply a crafted Origin header to obtain the session token and subsequently use it to perform cross\u2011origin requests that authenticate as the victim."}}}}, "created": "2026-03-20T08:52:22.341256+00:00", "updated": "2026-03-25T14:30:18.069764+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}