Security Advisory

CVE-2026-33043

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-20 05:52:59

Last updated 2026-03-25 13:55:29

Assigner GitHub_M

State PUBLISHED

Description

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover. This issue has been fixed in version 26.0.

← Browse all CVEs View on cve.org ↗