CVE-2026-41057: CWE-346: Origin Validation Error in WWBN AVideo
WWBN AVideo versions 29. 0 and below have an origin validation vulnerability in their CORS implementation. The incomplete fix for CORS origin validation allows arbitrary Origin headers with credentials to be accepted on all /api/* endpoints. This enables an attacker to perform cross-origin credentialed requests and read authenticated responses containing sensitive user information such as PII, email, admin status, and session data. A fix is available in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13, but no official patch release information is provided yet.
AI Analysis
Technical Summary
CVE-2026-41057 is a CWE-346 Origin Validation Error affecting WWBN AVideo versions 29.0 and earlier. The vulnerability arises because two code paths reflect arbitrary Origin headers with Access-Control-Allow-Credentials set to true, specifically in plugin/API/router.php and in allowOrigin(true) calls within get.json.php and set.json.php. This improper CORS configuration allows cross-origin credentialed requests to API endpoints, exposing authenticated user data including personally identifiable information and session-sensitive details. Although a corrective commit has been identified, no official patch or vendor advisory confirming remediation status is currently available.
Potential Impact
An attacker can exploit this vulnerability to perform cross-origin requests that include user credentials and read sensitive authenticated responses. This can lead to unauthorized disclosure of user personally identifiable information, email addresses, administrative status, and session-related data. The vulnerability compromises confidentiality but does not affect integrity or availability. The CVSS score of 7.1 reflects a high severity due to the ease of exploitation and the sensitive nature of the data exposed.
Mitigation Recommendations
A fix for this vulnerability exists in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. However, there is no official vendor advisory or patch release confirming deployment of this fix. Users should review and apply this commit or subsequent official patches when available. Until patched, restrict cross-origin requests to trusted origins and consider disabling credentialed CORS requests on API endpoints as a temporary mitigation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-41057: CWE-346: Origin Validation Error in WWBN AVideo
Description
WWBN AVideo versions 29. 0 and below have an origin validation vulnerability in their CORS implementation. The incomplete fix for CORS origin validation allows arbitrary Origin headers with credentials to be accepted on all /api/* endpoints. This enables an attacker to perform cross-origin credentialed requests and read authenticated responses containing sensitive user information such as PII, email, admin status, and session data. A fix is available in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13, but no official patch release information is provided yet.
CVSS v3.1
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41057 is a CWE-346 Origin Validation Error affecting WWBN AVideo versions 29.0 and earlier. The vulnerability arises because two code paths reflect arbitrary Origin headers with Access-Control-Allow-Credentials set to true, specifically in plugin/API/router.php and in allowOrigin(true) calls within get.json.php and set.json.php. This improper CORS configuration allows cross-origin credentialed requests to API endpoints, exposing authenticated user data including personally identifiable information and session-sensitive details. Although a corrective commit has been identified, no official patch or vendor advisory confirming remediation status is currently available.
Potential Impact
An attacker can exploit this vulnerability to perform cross-origin requests that include user credentials and read sensitive authenticated responses. This can lead to unauthorized disclosure of user personally identifiable information, email addresses, administrative status, and session-related data. The vulnerability compromises confidentiality but does not affect integrity or availability. The CVSS score of 7.1 reflects a high severity due to the ease of exploitation and the sensitive nature of the data exposed.
Mitigation Recommendations
A fix for this vulnerability exists in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. However, there is no official vendor advisory or patch release confirming deployment of this fix. Users should review and apply this commit or subsequent official patches when available. Until patched, restrict cross-origin requests to trusted origins and consider disabling credentialed CORS requests on API endpoints as a temporary mitigation. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-16T16:43:03.173Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e85dc119fe3cd2cd708093
Added to database: 4/22/2026, 5:33:53 AM
Last enriched: 4/29/2026, 11:12:35 AM
Last updated: 6/7/2026, 1:01:05 AM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.