CVE-2026-41056

HIGH

AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

Title source: cna

Description

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

References (2)

[X_Refsource_Confirm] https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq

[X_Refsource_Misc] https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e

View Writeup ZIP pw:eip

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 13.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-942

Status published

Products (1)

WWBN/AVideo <= 29.0

Published Apr 21, 2026

Tracked Since Apr 22, 2026