Session Fixation in AVideo - CVE-2026-33492
Published: April 8, 2026
Vulnerability identifier: #VU125464
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33492
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to hijack an authenticated session.
The vulnerability exists due to session fixation in _session_start() and User::login() when processing a crafted same-domain link containing the PHPSESSID GET parameter. A remote user can send a specially crafted link to hijack an authenticated session.
User interaction is required, and exploitation relies on the victim following the link from within the AVideo platform so the request is treated as same-domain.
How to mitigate CVE-2026-33492
Install security update from vendor's website.