Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-41056

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.0%
CVSS Severity
CVSS v3 Score 8.1
Products affected by CVE-2026-41056
  • Wwbn » Avideo » Version: N/A
    cpe:2.3:a:wwbn:avideo:-
  • Wwbn » Avideo » Version: 10.1
    cpe:2.3:a:wwbn:avideo:10.1
  • Wwbn » Avideo » Version: 10.2
    cpe:2.3:a:wwbn:avideo:10.2
  • Wwbn » Avideo » Version: 10.4
    cpe:2.3:a:wwbn:avideo:10.4
  • Wwbn » Avideo » Version: 10.8
    cpe:2.3:a:wwbn:avideo:10.8
  • Wwbn » Avideo » Version: 11
    cpe:2.3:a:wwbn:avideo:11
  • Wwbn » Avideo » Version: 11.1
    cpe:2.3:a:wwbn:avideo:11.1
  • Wwbn » Avideo » Version: 11.1.1
    cpe:2.3:a:wwbn:avideo:11.1.1
  • Wwbn » Avideo » Version: 11.5
    cpe:2.3:a:wwbn:avideo:11.5
  • Wwbn » Avideo » Version: 11.6
    cpe:2.3:a:wwbn:avideo:11.6
  • Wwbn » Avideo » Version: 12.4
    cpe:2.3:a:wwbn:avideo:12.4
  • Wwbn » Avideo » Version: 14.2
    cpe:2.3:a:wwbn:avideo:14.2
  • Wwbn » Avideo » Version: 14.3
    cpe:2.3:a:wwbn:avideo:14.3
  • Wwbn » Avideo » Version: 14.3.1
    cpe:2.3:a:wwbn:avideo:14.3.1
  • Wwbn » Avideo » Version: 14.4
    cpe:2.3:a:wwbn:avideo:14.4
  • Wwbn » Avideo » Version: 2.2
    cpe:2.3:a:wwbn:avideo:2.2
  • Wwbn » Avideo » Version: 2.4
    cpe:2.3:a:wwbn:avideo:2.4
  • Wwbn » Avideo » Version: 2.7
    cpe:2.3:a:wwbn:avideo:2.7
  • Wwbn » Avideo » Version: 3.4
    cpe:2.3:a:wwbn:avideo:3.4
  • Wwbn » Avideo » Version: 3.4.1
    cpe:2.3:a:wwbn:avideo:3.4.1
  • Wwbn » Avideo » Version: 4.0
    cpe:2.3:a:wwbn:avideo:4.0
  • Wwbn » Avideo » Version: 4.0.1
    cpe:2.3:a:wwbn:avideo:4.0.1
  • Wwbn » Avideo » Version: 4.0.2
    cpe:2.3:a:wwbn:avideo:4.0.2
  • Wwbn » Avideo » Version: 5.0
    cpe:2.3:a:wwbn:avideo:5.0
  • Wwbn » Avideo » Version: 6.5
    cpe:2.3:a:wwbn:avideo:6.5
  • Wwbn » Avideo » Version: 7.2
    cpe:2.3:a:wwbn:avideo:7.2
  • Wwbn » Avideo » Version: 7.3
    cpe:2.3:a:wwbn:avideo:7.3
  • Wwbn » Avideo » Version: 7.4
    cpe:2.3:a:wwbn:avideo:7.4
  • Wwbn » Avideo » Version: 7.5
    cpe:2.3:a:wwbn:avideo:7.5
  • Wwbn » Avideo » Version: 7.6
    cpe:2.3:a:wwbn:avideo:7.6
  • Wwbn » Avideo » Version: 7.7
    cpe:2.3:a:wwbn:avideo:7.7
  • Wwbn » Avideo » Version: 7.8
    cpe:2.3:a:wwbn:avideo:7.8
  • Wwbn » Avideo » Version: 8.1
    cpe:2.3:a:wwbn:avideo:8.1
  • Wwbn » Avideo » Version: 8.5
    cpe:2.3:a:wwbn:avideo:8.5
  • Wwbn » Avideo » Version: 8.6
    cpe:2.3:a:wwbn:avideo:8.6
  • Wwbn » Avideo » Version: 8.7
    cpe:2.3:a:wwbn:avideo:8.7
  • Wwbn » Avideo » Version: 8.9
    cpe:2.3:a:wwbn:avideo:8.9
  • Wwbn » Avideo » Version: 8.9.1
    cpe:2.3:a:wwbn:avideo:8.9.1


Products
Pricing
Contact Us

Shodan ® - All rights reserved