Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.
Published: 2026-04-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Origin Data Disclosure via Unrestricted CORS
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in an incomplete CORS origin validation in AVideo versions 29.0 and earlier, where the script unconditionally reflects any Origin header and sets the Access‑Control‑Allow‑Credentials flag for all /api/* endpoints. This constitutes a CWE‑346 origin‑validation weakness that enables a malicious site to issue cross‑origin, credentialed requests on the victim’s behalf and read the resulting API responses, which can contain personally identifiable information, email addresses, administrative status, and other session‑sensitive data. The primary security impact is the confidential disclosure of authenticated user information.

Affected Systems

The affected product is the open‑source AVideo platform developed by WWBN. Versions 29.0 and all earlier releases are impacted. No other vendors or product variants are listed in the advisory.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a standard web request that an attacker can trigger by hosting a malicious page; no special privileges are required other than the victim’s credentials being present in their browser. Exploitation involves sending a cross‑origin request to any /api/* endpoint with credentials enabled, receiving the reflected Origin header with Access‑Control‑Allow‑Credentials, and reading the authenticated response.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch that updates CORS handling in plugin/API/router.php and the allowOrigin calls, as implemented in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13.
  • Upgrade the installation to AVideo version 29.1 or later where the origin validation logic is fully fixed.
  • If immediate patching or upgrading is not possible, configure the web server to restrict the /api/* endpoints to trusted origins only, preventing unintended credentialed requests from arbitrary origins.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.
Title AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T18:02:31.665Z

Reserved: 2026-04-16T16:43:03.173Z

Link: CVE-2026-41057

cve-icon Vulnrichment

Updated: 2026-04-22T18:02:24.246Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T23:16:20.987

Modified: 2026-04-24T15:07:47.937

Link: CVE-2026-41057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses