CVE-2026-33716 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 24, 2026
WWBN AVideo - Authentication Bypass
Overview
WWBN AVideo <= 26.0 contains an authentication bypass caused by user-controlled streamerURL parameter in plugin/Live/standAloneFiles/control.json.php, letting unauthenticated attackers control live streams by redirecting token verification, exploit requires no special privileges.
Severity & Score
Impact
Unauthenticated attackers can control live streams, including stopping streams and recordings, leading to full live stream management compromise.
Mitigation
Update to a version including commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-33716 - Critical (9.4) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where ... š https://www.thehackerwire.com/vulnerability/CVE-2026-33716/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-33716 - Critical (9.4) WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where ... š https://www.thehackerwire.com/vulnerability/CVE-2026-33716/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33716
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_authentication
- Status
- unconfirmed
- EPSS
- 8.2%
- Social Posts
- 2
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H