CVE-2026-33043 is a critical security vulnerability affecting WWBN AVideo, an open-source video platform, in versions prior to 26.0. The vulnerability arises from a combination of insecure session ID exposure and a permissive cross-origin resource sharing (CORS) policy. Specifically, the endpoint /objects/phpsessionid.json.php returns the current PHP session ID to any unauthenticated HTTP request, effectively leaking sensitive session tokens. Compounding this, the allowOrigin() function in the application dynamically reflects the Origin header value back in the Access-Control-Allow-Origin response header without validation, while also setting Access-Control-Allow-Credentials to true. This configuration allows malicious websites to perform cross-origin requests that include credentials, facilitating session hijacking through cross-site scripting or malicious web pages. An attacker can craft a request from an untrusted domain to steal session cookies and fully compromise user accounts without requiring authentication or user interaction beyond visiting a malicious site. The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The CVSS v3.1 base score is 8.1 (High), reflecting the ease of exploitation (no privileges required, low attack complexity) and the severe impact on confidentiality and integrity (full account takeover). The issue was publicly disclosed and fixed in version 26.0 of WWBN AVideo. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk to deployments running older versions.

The vulnerability enables attackers to steal session IDs and perform full account takeover without authentication, severely compromising user confidentiality and integrity. Organizations using affected versions of WWBN AVideo risk unauthorized access to user accounts, potentially exposing sensitive video content, user data, and administrative functions. This can lead to data breaches, unauthorized content manipulation, and loss of user trust. Since the vulnerability requires only that a user visit a malicious website, it can be exploited remotely and at scale. The availability of the platform is not directly impacted, but the breach of user accounts can lead to indirect service disruptions and reputational damage. Enterprises and service providers hosting video content on AVideo platforms are particularly at risk, especially if they have not applied the patch or upgraded to version 26.0 or later.

1. Upgrade all WWBN AVideo installations to version 26.0 or later immediately to apply the official fix. 2. If immediate upgrade is not possible, implement web application firewall (WAF) rules to block suspicious cross-origin requests targeting /objects/phpsessionid.json.php. 3. Restrict CORS policies to allow only trusted domains explicitly; avoid reflecting the Origin header dynamically. 4. Disable Access-Control-Allow-Credentials unless strictly necessary and ensure it is not combined with permissive origins. 5. Monitor web server logs for unusual requests to the vulnerable endpoint and signs of session token leakage. 6. Educate users to avoid visiting untrusted websites while logged into the platform until patched. 7. Consider implementing additional session management controls such as IP binding or multi-factor authentication to reduce the impact of stolen sessions. 8. Conduct regular security audits of CORS configurations and session handling mechanisms in web applications.