プラットフォーム
php
コンポーネント
wwbn/avideo
修正版
26.0.1
26.0.1
CVE-2026-33716 is a critical authentication bypass vulnerability discovered in wwbn/avideo versions up to 26.0. This flaw allows attackers to redirect token verification requests, effectively bypassing authentication and gaining unauthorized control over live streams. The vulnerability resides in the streamerURL parameter within the live stream control endpoint, enabling malicious actors to manipulate the verification process. A patch is available to address this issue.
The impact of CVE-2026-33716 is severe. An attacker exploiting this vulnerability can gain complete control over any live stream on the affected platform. This includes the ability to drop active publishers, start or stop recordings, and even probe the existence of streams without proper authentication. The attacker essentially becomes an administrator of the live streaming service, potentially leading to data breaches, service disruption, and reputational damage. This vulnerability shares similarities with other authentication bypass flaws where improper input validation allows attackers to circumvent security controls.
CVE-2026-33716 was publicly disclosed on 2026-03-25. The vulnerability's severity and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). Public proof-of-concept (PoC) code is anticipated given the nature of the vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Organizations and individuals utilizing wwbn/avideo for live streaming applications are at risk, particularly those running older, unpatched versions (≤26.0). Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the exploitation of this vulnerability across the entire platform.
• php / server:
grep -r 'streamerURL' /var/www/avideo/• generic web:
curl -I https://your-avideo-domain.com/plugin/Live/standAloneFiles/control.json.php?streamerURL=http://attacker.com• generic web:
curl -s https://your-avideo-domain.com/plugin/Live/standAloneFiles/control.json.php | grep streamerURLdisclosure
エクスプロイト状況
EPSS
0.09% (26% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-33716 is to upgrade to a patched version of wwbn/avideo. If immediate patching is not possible, implement temporary workarounds. A Web Application Firewall (WAF) can be configured to validate the streamerURL parameter, ensuring it points to a trusted domain. Strict input validation on the server-side is also crucial to prevent attackers from injecting malicious URLs. Consider implementing rate limiting on the live stream control endpoint to mitigate potential abuse. After upgrade, confirm functionality by initiating a live stream and verifying that authentication is enforced correctly.
Actualice AVideo a una versión posterior a la 26.0. La vulnerabilidad se corrige en el commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. Esto evitará que atacantes no autenticados controlen las transmisiones en vivo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-33716 is a critical vulnerability in wwbn/avideo versions up to 26.0 that allows attackers to bypass authentication by manipulating the streamerURL parameter, gaining unauthorized control over live streams.
You are affected if you are using wwbn/avideo versions 26.0 or earlier. Immediately assess your environment and apply the necessary patches or mitigations.
The recommended fix is to upgrade to a patched version of wwbn/avideo. As a temporary workaround, implement WAF rules to validate the streamerURL parameter.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a medium probability of exploitation. Monitor security advisories for updates.
Refer to the official wwbn/avideo security advisory for detailed information and patching instructions. Check their website or relevant security mailing lists for updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。