CVE-2026-33296 is a security vulnerability classified as CWE-601 (URL Redirection to Untrusted Site or Open Redirect) affecting WWBN AVideo, an open-source video platform. The vulnerability exists in versions prior to 26.0 within the login flow mechanism. Specifically, the application accepts a user-supplied parameter named redirectUri, which is intended to redirect users after successful authentication. However, this parameter is directly reflected into a JavaScript assignment to document.location without any JavaScript-safe encoding or validation. Consequently, after the user completes the login popup, a timer callback executes and redirects the user to the URL specified by redirectUri. Because the parameter is unvalidated, an attacker can craft a malicious URL that redirects victims to attacker-controlled websites, potentially facilitating phishing, social engineering, or other malicious activities. The vulnerability does not require authentication but does require user interaction to trigger the login flow and subsequent redirect. The CVSS 4.0 base score is 2.1, indicating low severity, primarily because the impact is limited to redirecting users and does not directly compromise confidentiality, integrity, or availability of the platform. No known exploits have been reported in the wild. The issue is resolved in WWBN AVideo version 26.0 by implementing proper validation or encoding of the redirectUri parameter to prevent unsafe redirection.

The primary impact of this vulnerability is the potential for attackers to redirect authenticated or unauthenticated users to malicious external websites after login. This can facilitate phishing attacks, credential harvesting, or distribution of malware by exploiting user trust in the legitimate AVideo platform. While the vulnerability does not directly compromise system confidentiality, integrity, or availability, it can undermine user trust and lead to secondary attacks. Organizations using affected versions risk reputational damage and user compromise if attackers leverage this flaw in targeted campaigns. The low CVSS score reflects the limited direct technical impact, but the social engineering risks remain significant, especially for platforms with large user bases or sensitive content. Since exploitation requires user interaction, the risk is mitigated somewhat by user awareness but remains a concern for environments with less security-savvy users.

To mitigate this vulnerability, organizations should upgrade WWBN AVideo installations to version 26.0 or later, where the issue is fixed. If immediate upgrade is not feasible, implement strict validation on the redirectUri parameter to allow only trusted domains or relative paths within the application. Employ JavaScript-safe encoding when assigning URLs to document.location to prevent injection of malicious scripts or URLs. Additionally, consider implementing a whitelist of allowed redirect destinations and reject or sanitize any unrecognized URLs. Educate users to be cautious of unexpected redirects after login, especially from unsolicited links. Monitor web server logs for suspicious redirectUri parameter usage that may indicate exploitation attempts. Finally, apply Content Security Policy (CSP) headers to restrict navigation to trusted domains, reducing the impact of open redirects.