CVE-2026-33716 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: March 23, 2026
WWBN AVideo - Authentication Bypass
Published: March 23, 2026Updated: March 23, 2026Remote Exploitable
Overview
WWBN AVideo <= 26.0 contains an authentication bypass caused by user-controlled streamerURL parameter in plugin/Live/standAloneFiles/control.json.php, letting unauthenticated attackers control live streams by redirecting token verification, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.4
Impact
Unauthenticated attackers can control live streams, including stopping streams and recordings, leading to full live stream management compromise.
Mitigation
Update to a version including commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-33716
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- broken_authentication
- Status
- new
CWE
- CWE-287
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H