{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33716", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.748Z", "datePublished": "2026-03-23T18:46:47.412Z", "dateUpdated": "2026-03-24T14:25:27.605Z"}, "containers": {"cna": {"title": "AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"}, {"name": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:46:47.412Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch."}], "source": {"advisory": "GHSA-9hv9-gvwm-95f2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:25:16.547362Z", "id": "CVE-2026-33716", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:25:27.605Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33716", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:25:16.547362Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:25:22.703Z"}}], "cna": {"title": "AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php", "source": {"advisory": "GHSA-9hv9-gvwm-95f2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128", "name": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:46:47.412Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33716", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:25:27.605Z", "dateReserved": "2026-03-23T17:06:05.748Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:46:47.412Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{\"error\": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint de control de transmisi\u00f3n en vivo independiente en 'plugin/Live/standAloneFiles/control.json.php' acepta un par\u00e1metro 'streamerURL' proporcionado por el usuario que anula d\u00f3nde el servidor env\u00eda las solicitudes de verificaci\u00f3n de token. Un atacante puede redirigir la verificaci\u00f3n de token a un servidor que controlan que siempre devuelve '{\"error\": false}', eludiendo completamente la autenticaci\u00f3n. Esto otorga control no autenticado sobre cualquier transmisi\u00f3n en vivo en la plataforma, incluyendo la desconexi\u00f3n de publicadores activos, el inicio/parada de grabaciones y la sondeo de la existencia de transmisiones. El commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contiene un parche."}], "id": "CVE-2026-33716", "lastModified": "2026-03-25T15:05:05.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T19:16:42.323", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T16:40:10.577963+00:00", "value": {"mitigation_remediation": ["Update AVideo to a version newer than 26.0 or apply the patch commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128", "Verify that the control.json.php endpoint no longer accepts arbitrary streamerURL values", "Monitor AVideo deployments and vendor advisories for additional patches or workarounds"], "summary": {"action": "Immediate Patch", "impact": "Authentication Bypass via Live Stream Control"}, "threat_synthesis": {"affected_systems": "The flaw affects versions of AVideo up to and including 26.0, specifically the plugin located at plugin/Live/standAloneFiles/control.json.php. All installations of the AVideo open\u2011source video platform deploying this endpoint are susceptible unless upgraded beyond the vulnerable version.", "description_and_impact": "The vulnerability exists in the live stream control endpoint of the AVideo platform, allowing an attacker to supply a custom streamerURL parameter that redirects token verification to an attacker\u2011controlled server. The controlled server can always return a success response, effectively bypassing authentication and granting unauthenticated users the ability to drop live publishers, start or stop recordings, and probe the existence of streams. This flaw provides direct, disruptive control over live video streams, potentially impacting availability, integrity, and the integrity of content delivery.", "risk_and_exploitability": "The CVSS base score of 9.4 indicates critical severity, while an EPSS score of less than 1% suggests the exploit probability is currently low. However, the vulnerability is not listed in CISA\u2019s KEV catalog, indicating no publicly known exploit yet. The most likely attack vector is a remote unauthenticated HTTP request to the vulnerable endpoint; an attacker only needs to craft a request containing a forged streamerURL. Once exploited, the attacker gains extensive control over live streams, posing a high risk to operational continuity."}}}}, "created": "2026-03-24T10:33:12.309891+00:00", "updated": "2026-03-25T20:37:03.666689+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}