Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑origin account takeover via reflected CORS headers that allow credentialed requests, leading to theft of personal data and control of livestreams
Action: Patch
AI Analysis

Impact

The vulnerability lies in the function that reflects any supplied Origin header to the Access‑Control‑Allow‑Origin response while also enabling credentials for both data retrieval and state‑changing API endpoints. This flaw permits a malicious web site to issue cross‑origin, authenticated requests and read protected responses, resulting in theft of personal user information, livestream keys, and the ability to modify user state. The weakness maps to CWE‑942, reflecting a misuse of CORS.

Affected Systems

The affected application is the WWBN AVideo open‑source video platform. Versions 29.0 and earlier contain the vulnerable implementation in objects/functions.php, plugin/API/get.json.php, and plugin/API/set.json.php. No other vendors or products are listed as affected.

Risk and Exploitability

With a CVSS score of 8.1, this vulnerability is considered high severity. The EPSS score is not provided, but the lack of KEV listing does not diminish the risk; attackers can exploit the flaw from any arbitrary web page by simply setting the Origin header and using the Server‑side SameSite=None session cookie policy to carry credentials. The attack requires only a web browser and the ability to target the victim’s device, making exploitation straightforward for determined adversaries.

Generated by OpenCVE AI on April 22, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the fix from commit caf705f38eae0ccfac4c3af1587781355d24495e released by the vendor
  • Upgrade AVideo to a version newer than 29.0 where the allowOrigin function no longer returns credentials for sensitive endpoints
  • If an upgrade is not immediately possible, reconfigure the server to enforce a strict Access‑Control‑Allow‑Origin policy that rejects arbitrary Origins and removes the Allow‑Credentials header from these endpoints

Generated by OpenCVE AI on April 22, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.
Title AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:15:07.044Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41056

cve-icon Vulnrichment

Updated: 2026-04-22T13:14:58.344Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T23:16:20.850

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-41056

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses