CVE-2026-41056: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in WWBN AVideo
WWBN AVideo versions 29. 0 and below contain a permissive cross-domain policy vulnerability in the allowOrigin function that reflects arbitrary Origin headers in Access-Control-Allow-Origin with credentials allowed. This affects key API endpoints handling user data and authentication. Combined with the SameSite=None cookie policy, this enables any website to perform credentialed cross-origin requests, potentially exposing user PII, livestream keys, and allowing unauthorized state changes. A fix is committed but no official patch release or advisory is confirmed yet.
AI Analysis
Technical Summary
The vulnerability in WWBN AVideo (<=29.0) arises from the allowOrigin($allowAll=true) function in objects/functions.php, which reflects any Origin header back in Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials to true. This insecure CORS policy is applied on primary API endpoints (plugin/API/get.json.php and plugin/API/set.json.php) that manage sensitive user data and authentication. Because the application uses SameSite=None cookies, malicious websites can make credentialed cross-origin requests and read authenticated responses, leading to theft of personally identifiable information, livestream credentials, and unauthorized state changes. A code commit (caf705f38eae0ccfac4c3af1587781355d24495e) contains a fix, but no official patch or vendor advisory is documented.
Potential Impact
Exploitation allows attackers to perform cross-origin requests with user credentials, bypassing same-origin protections. This can lead to disclosure of sensitive user information including PII and livestream keys, and unauthorized modification of user state via API calls. The vulnerability has a CVSS score of 8.1 (high severity) indicating a significant risk to confidentiality and integrity, but no impact on availability. No known exploits in the wild are reported.
Mitigation Recommendations
A code fix addressing this vulnerability exists in commit caf705f38eae0ccfac4c3af1587781355d24495e. However, no official patch release or vendor advisory is currently available. Users should monitor the WWBN project for an official update and apply the fix promptly once released. Until then, consider restricting API access or implementing additional access controls to mitigate risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-41056: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and below contain a permissive cross-domain policy vulnerability in the allowOrigin function that reflects arbitrary Origin headers in Access-Control-Allow-Origin with credentials allowed. This affects key API endpoints handling user data and authentication. Combined with the SameSite=None cookie policy, this enables any website to perform credentialed cross-origin requests, potentially exposing user PII, livestream keys, and allowing unauthorized state changes. A fix is committed but no official patch release or advisory is confirmed yet.
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in WWBN AVideo (<=29.0) arises from the allowOrigin($allowAll=true) function in objects/functions.php, which reflects any Origin header back in Access-Control-Allow-Origin and sets Access-Control-Allow-Credentials to true. This insecure CORS policy is applied on primary API endpoints (plugin/API/get.json.php and plugin/API/set.json.php) that manage sensitive user data and authentication. Because the application uses SameSite=None cookies, malicious websites can make credentialed cross-origin requests and read authenticated responses, leading to theft of personally identifiable information, livestream credentials, and unauthorized state changes. A code commit (caf705f38eae0ccfac4c3af1587781355d24495e) contains a fix, but no official patch or vendor advisory is documented.
Potential Impact
Exploitation allows attackers to perform cross-origin requests with user credentials, bypassing same-origin protections. This can lead to disclosure of sensitive user information including PII and livestream keys, and unauthorized modification of user state via API calls. The vulnerability has a CVSS score of 8.1 (high severity) indicating a significant risk to confidentiality and integrity, but no impact on availability. No known exploits in the wild are reported.
Mitigation Recommendations
A code fix addressing this vulnerability exists in commit caf705f38eae0ccfac4c3af1587781355d24495e. However, no official patch release or vendor advisory is currently available. Users should monitor the WWBN project for an official update and apply the fix promptly once released. Until then, consider restricting API access or implementing additional access controls to mitigate risk. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-16T16:43:03.173Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e85dc119fe3cd2cd70808f
Added to database: 4/22/2026, 5:33:53 AM
Last enriched: 4/29/2026, 11:43:19 AM
Last updated: 6/6/2026, 10:55:34 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.