CVE-2026-33492: AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration

March 20, 2026

AVideo’s _session_start() function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in User::login(), this allows a classic session fixation attack where an attacker can fix a victim’s session ID before authentication and then hijack the authenticated session.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43
github.com/advisories/GHSA-x3pr-vrhq-vq43
nvd.nist.gov/vuln/detail/CVE-2026-33492

Code Behaviors & Features

Detect and mitigate CVE-2026-33492 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →