CVE-2026-33296 is an open redirect vulnerability classified under CWE-601 affecting WWBN AVideo, an open-source video platform. The vulnerability exists in versions prior to 26.0 within the login flow mechanism. Specifically, the application accepts a user-supplied parameter named redirectUri, which is intended to redirect users after successful login. However, this parameter is reflected directly into a JavaScript assignment to document.location without any JavaScript-safe encoding or validation. After the user completes the login popup flow, a timer callback executes the redirect using this unvalidated parameter, allowing an attacker to craft URLs that redirect victims to attacker-controlled domains. This can facilitate phishing attacks, credential theft, or distribution of malware by exploiting user trust in the legitimate platform. The vulnerability does not require authentication but does require user interaction to trigger the redirect. The CVSS 4.0 score is 2.1, indicating low severity primarily due to the limited impact on confidentiality, integrity, and availability, and the need for user interaction. No known exploits have been reported in the wild as of the publication date. The issue is resolved in version 26.0 of WWBN AVideo by implementing proper validation or encoding of the redirectUri parameter to prevent unsafe redirection.

The primary impact of this vulnerability is the facilitation of phishing and social engineering attacks. Attackers can exploit the open redirect to send users to malicious websites that may mimic the legitimate platform or deliver malware payloads. While the vulnerability does not directly compromise system confidentiality, integrity, or availability, it undermines user trust and can lead to credential theft or session hijacking if users are tricked into entering sensitive information on attacker-controlled sites. Organizations deploying WWBN AVideo in environments with sensitive user data or high-value targets may face reputational damage and increased risk of downstream attacks. The low CVSS score reflects the limited direct technical impact but does not diminish the potential for indirect harm through user deception. Since exploitation requires user interaction, the threat is mitigated somewhat by user awareness but remains a concern for phishing-prone environments.

Organizations should upgrade WWBN AVideo to version 26.0 or later, where the vulnerability is fixed by proper validation and encoding of the redirectUri parameter. Until upgrade is possible, administrators can implement input validation on the redirectUri parameter at the web server or application firewall level to allow only trusted domains or relative paths. Employing Content Security Policy (CSP) headers can help reduce the risk of malicious script execution following redirection. User education on recognizing phishing attempts and verifying URLs before entering credentials is critical. Monitoring logs for unusual redirectUri parameter values may help detect exploitation attempts. Additionally, consider implementing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing attacks leveraging this vulnerability.