Description
Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Published: 2026-03-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Administrative account creation via CSRF
Action: Apply Patch
AI Analysis

Impact

Wowza Streaming Engine 4.5.0 suffers from a cross‑site request forgery flaw that allows an attacker to craft a malicious web page which, when viewed by an authenticated administrator, automatically posts to the user edit endpoint. This can result in the creation of new administrative accounts with arbitrary credentials, enabling full administrative control over the streaming engine. The weakness is identified as CWE-352.

Affected Systems

The vulnerability affects Wowza Media Systems, LLC. Wowza Streaming Engine version 4.5.0, as indicated by the vendor list and the associated CPE string cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score is 6.9, which denotes medium severity. The EPSS score is below 1%, indicating a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a logged‑in administrator to be tricked into visiting a malicious site, making the attack vector remote and user‑interaction based.

Generated by OpenCVE AI on March 19, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Wowza Media Systems website or support portal for a patch or newer release that addresses CVE-2016-20035.
  • If a patch is not available, disable or restrict access to the user edit endpoint for administrative accounts.
  • Implement an additional CSRF protection token or referer check if possible.
  • Monitor administrative traffic for abnormal POST activity to the user edit endpoint.

Generated by OpenCVE AI on March 19, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 15 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Wowza Streaming Engine 4.5.0 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by crafting malicious web pages. Attackers can trick logged-in administrators into visiting a malicious site that submits POST requests to the user edit endpoint to create new admin accounts with arbitrary credentials.
Title Wowza Streaming Engine 4.5.0 CSRF via user edit endpoint
First Time appeared Wowza
Wowza streaming Engine
Weaknesses CWE-352
CPEs cpe:2.3:a:wowza:streaming_engine:4.5.0:*:*:*:*:*:*:*
Vendors & Products Wowza
Wowza streaming Engine
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Wowza Streaming Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-16T14:30:30.121Z

Reserved: 2026-03-15T18:22:19.349Z

Link: CVE-2016-20035

cve-icon Vulnrichment

Updated: 2026-03-16T14:21:01.794Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:17:50.693

Modified: 2026-03-19T14:17:08.137

Link: CVE-2016-20035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:23Z

Weaknesses