Description
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.
Published: 2026-03-22
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect through unvalidated redirectUri in userLogin.php
Action: Patch
AI Analysis

Impact

The vulnerability allows an attacker to supply an arbitrary redirect URL through the redirectUri parameter during the login flow. The value is reflected directly into a JavaScript document.location assignment without proper encoding, so after the login popup completes, the victim is automatically sent to the attacker‑controlled site. This can be used to facilitate phishing or social engineering attacks, leveraging the user’s trust that they are on the legitimate platform. The weakness is a classic unvalidated redirect, classified as CWE‑601.

Affected Systems

WWBN AVideo versions earlier than 26.0 are affected. The open source video platform is deployed by its users and administrators; any instance running a version prior to the fixed release inherits this flaw.

Risk and Exploitability

The CVSS score of 2.1 indicates low severity; the EPSS score of less than 1% suggests exploitation is currently unlikely. The flaw is not listed in CISA’s KEV catalog. Exploitation requires a user to click the modified login link and complete the login popup, after which the victim is redirected. Because the attacker does not gain code execution or privileges, impact is limited to facilitating phishing or other social‑engineering attacks. Nonetheless, the risk of credential theft or malware infection remains if users are tricked into visiting malicious sites.

Generated by OpenCVE AI on March 24, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WWBN AVideo to version 26.0 or later, which removes the open redirect paths in the login flow.

Generated by OpenCVE AI on March 24, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hj5h-5623-gwhw AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
History

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Mon, 23 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Sun, 22 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.
Title AVideo has an Open Redirect via Unvalidated redirectUri in userLogin.php
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-23T14:00:36.993Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33296

cve-icon Vulnrichment

Updated: 2026-03-23T14:00:26.714Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T17:17:09.420

Modified: 2026-03-24T17:52:46.437

Link: CVE-2026-33296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:25Z

Weaknesses