#VU125464 Session Fixation in AVideo - CVE-2026-33492
Published: April 8, 2026
Vulnerability identifier: #VU125464
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33492
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to hijack an authenticated session.
The vulnerability exists due to session fixation in _session_start() and User::login() when processing a crafted same-domain link containing the PHPSESSID GET parameter. A remote user can send a specially crafted link to hijack an authenticated session.
User interaction is required, and exploitation relies on the victim following the link from within the AVideo platform so the request is treated as same-domain.
Remediation
Install security update from vendor's website.