CVE-2026-33043 is a critical security vulnerability affecting WWBN AVideo, an open-source video platform, in versions prior to 26.0. The vulnerability arises from a combination of two issues: first, the endpoint /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request, effectively leaking session tokens. Second, the allowOrigin() function in the application reflects any Origin header value back in the Access-Control-Allow-Origin response header while setting Access-Control-Allow-Credentials to true. This misconfiguration violates the principle of least privilege in Cross-Origin Resource Sharing (CORS) policies, allowing an attacker-controlled website to perform cross-origin requests that include user credentials and retrieve sensitive session information. An attacker can craft a malicious webpage that, when visited by an authenticated user of the vulnerable AVideo instance, steals the PHP session ID and uses it to hijack the user's session, resulting in full account takeover. The vulnerability does not require prior authentication but does require user interaction (visiting a malicious site). The CVSS v3.1 score of 8.1 reflects the high impact on confidentiality and integrity, with no impact on availability. The flaw is categorized under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The issue was publicly disclosed on March 20, 2026, and fixed in version 26.0 of AVideo. No known exploits in the wild have been reported yet.

The primary impact of this vulnerability is the compromise of user accounts through session hijacking. Attackers can gain unauthorized access to user accounts, potentially including administrative accounts, leading to data theft, unauthorized content manipulation, or further lateral movement within an organization’s infrastructure. Because AVideo is a video platform, sensitive user data, private videos, and platform administrative controls could be exposed. The vulnerability undermines user trust and can lead to reputational damage, regulatory penalties if personal data is exposed, and operational disruptions if attackers misuse compromised accounts. Organizations relying on affected versions of AVideo are at risk, especially those with high-value or sensitive video content. The ease of exploitation combined with the lack of authentication requirement increases the threat level globally.

Organizations should immediately upgrade WWBN AVideo to version 26.0 or later, where this vulnerability is fixed. Until upgrading is possible, administrators should implement strict CORS policies by configuring the server to only allow trusted origins in Access-Control-Allow-Origin and avoid reflecting arbitrary Origin headers. Additionally, disable Access-Control-Allow-Credentials unless absolutely necessary and ensure session identifiers are never exposed via unauthenticated endpoints. Employ Web Application Firewalls (WAFs) to detect and block suspicious cross-origin requests targeting the vulnerable endpoint. Educate users to avoid visiting untrusted websites while logged into AVideo platforms. Regularly audit and monitor session management and access logs for unusual activity indicative of session hijacking attempts. Finally, consider implementing multi-factor authentication (MFA) to reduce the impact of stolen session tokens.