CVE-2026-33716 CRITICAL

CVE-2026-33716: AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Vendor Wwbn

Product AVideo

Weakness CWE-287 · Improper authentication

Published March 23, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

What the vulnerability does

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.

Key dates

Disclosure timeline

March 23, 2026 CVE published

March 24, 2026 Record updated