CVE-2026-33043: AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

March 17, 2026 (updated March 20, 2026)

/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/commit/9f4f51e5df5e3343400f9d0068705f5482b6f930
github.com/WWBN/AVideo/security/advisories/GHSA-qc3p-398r-p59j
github.com/advisories/GHSA-qc3p-398r-p59j
nvd.nist.gov/vuln/detail/CVE-2026-33043

Code Behaviors & Features

Detect and mitigate CVE-2026-33043 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →