CVE-2026-33716

CriticalPublic PoC

Published: 23 March 2026

Published

23 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0014 33.1th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can…

redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates the user-supplied `streamerURL` parameter to prevent attackers from redirecting token verification requests to malicious servers that bypass authentication.

SI-2 Flaw Remediation good match

prevent

Remediates the authentication bypass flaw by timely applying the vendor patch that secures handling of the `streamerURL` parameter.

AC-3 Access Enforcement partial match

prevent

Enforces logical access controls on the live stream control endpoint to restrict unauthorized actions like dropping publishers or manipulating recordings.

Security SummaryAI

CVE-2026-33716 is an authentication bypass vulnerability in WWBN AVideo, an open source video platform. Affecting versions up to and including 26.0, the issue resides in the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php`. This endpoint accepts a user-supplied `streamerURL` parameter that overrides the destination for token verification requests, enabling attackers to redirect these requests to a malicious server.

Any unauthenticated attacker with network access can exploit this vulnerability by controlling a server that responds to verification requests with `{"error": false}`, fully bypassing authentication checks. Successful exploitation grants complete control over any live stream on the platform, allowing actions such as dropping active publishers, starting or stopping recordings, and probing for stream existence. The vulnerability has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

The GitHub security advisory (GHSA-9hv9-gvwm-95f2) and commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 detail the patch, which addresses the insecure handling of the `streamerURL` parameter to prevent unauthorized overrides and ensure proper token verification. Security practitioners should update to a patched version beyond 26.0 and review configurations for exposed live stream endpoints.

Details

CWE(s): CWE-287

Affected Products

wwbn

avideo

≤ 26.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an authentication bypass in a public-facing web endpoint (control.json.php) that unauthenticated remote attackers can exploit to gain control over live streams, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/WWBN/AVideo/commit/388fcd57dbd16f6cb3ebcdf1d08cf2b929941128
Patch · security-advisories@github.com
https://github.com/WWBN/AVideo/security/advisories/GHSA-9hv9-gvwm-95f2
Exploit, Vendor Advisory · security-advisories@github.com