CVE-2026-33492 - Vulnerability Analysis
HighCVSS: 7.3Last Updated: March 24, 2026
WWBN AVideo - Authentication Bypass
Published: March 23, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 26.0 contains a session fixation vulnerability caused by accepting arbitrary session IDs via the PHPSESSID GET parameter and disabled session regeneration, letting attackers hijack authenticated sessions, exploit requires same domain request to blacklisted endpoints.
Severity & Score
Severity: High
CVSS Score: 7.3
Impact
Attackers can hijack authenticated user sessions by fixing session IDs before login, leading to account compromise.
Mitigation
Update to a version including commit 5647a94d79bf69a972a86653fe02144079948785 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-33492
- Severity
- High
- CVSS Score
- 7.3
- Type
- broken_authentication
- Status
- confirmed
CWE
- CWE-384
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N