CVE-2026-41056 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: April 21, 2026
WWBN AVideo - CORS Misconfiguration
Overview
WWBN AVideo <= 29.0 contains a CORS misconfiguration caused by reflecting arbitrary Origin headers in Access-Control-Allow-Origin with credentials allowed, letting remote attackers steal user PII and perform state changes via credentialed cross-origin requests, exploit requires victim to visit attacker-controlled website.
Severity & Score
Impact
Attackers can steal user personal data and perform actions on behalf of authenticated users via cross-origin requests.
Mitigation
Update to a version including commit caf705f38eae0ccfac4c3af1587781355d24495e or later.
References
Social Media Activity(2 posts)
š CVE-2026-41056 - High (8.1) WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control... š https://www.thehackerwire.com/vulnerability/CVE-2026-41056/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-41056 - High (8.1) WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control... š https://www.thehackerwire.com/vulnerability/CVE-2026-41056/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-41056
- Severity
- High
- CVSS Score
- 8.1
- Type
- cors_misconfiguration
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-942
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N