CVE-2026-33716
- Source
- https://cve.org/CVERecord?id=CVE-2026-33716
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33716.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33716
- Aliases
- Published
- 2026-03-23T18:46:47.412Z
- Modified
- 2026-04-10T05:42:55.502563Z
- Severity
-
- 9.4 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H CVSS Calculator
- Summary
- AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
- Details
-
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at
plugin/Live/standAloneFiles/control.json.phpaccepts a user-suppliedstreamerURLparameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns{"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch. - Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33716.json", "cwe_ids": [ "CWE-287" ] }- References