{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41057", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.173Z", "datePublished": "2026-04-21T22:37:15.582Z", "dateUpdated": "2026-04-22T18:02:31.665Z"}, "containers": {"cna": {"title": "AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4"}, {"name": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 29.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:37:15.582Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix."}], "source": {"advisory": "GHSA-ff5q-cc22-fgp4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T18:02:08.060761Z", "id": "CVE-2026-41057", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:02:31.665Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41057", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T18:02:08.060761Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:02:24.246Z"}}], "cna": {"title": "AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses", "source": {"advisory": "GHSA-ff5q-cc22-fgp4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 29.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13", "name": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T22:37:15.582Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41057", "state": "PUBLISHED", "dateUpdated": "2026-04-22T18:02:31.665Z", "dateReserved": "2026-04-16T16:43:03.173Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T22:37:15.582Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC38CA07-71C1-4C86-B84A-83CF96367CBA", "versionEndIncluding": "29.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix."}], "id": "CVE-2026-41057", "lastModified": "2026-04-24T15:07:47.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T23:16:20.987", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-ff5q-cc22-fgp4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,29.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-04-22T07:07:12.947859+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch that updates CORS handling in plugin/API/router.php and the allowOrigin calls, as implemented in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13.", "Upgrade the installation to AVideo version 29.1 or later where the origin validation logic is fully fixed.", "If immediate patching or upgrading is not possible, configure the web server to restrict the /api/* endpoints to trusted origins only, preventing unintended credentialed requests from arbitrary origins."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Origin Data Disclosure via Unrestricted CORS"}, "threat_synthesis": {"affected_systems": "The affected product is the open\u2011source AVideo platform developed by WWBN. Versions 29.0 and all earlier releases are impacted. No other vendors or product variants are listed in the advisory.", "description_and_impact": "The flaw resides in an incomplete CORS origin validation in AVideo versions 29.0 and earlier, where the script unconditionally reflects any Origin header and sets the Access\u2011Control\u2011Allow\u2011Credentials flag for all /api/* endpoints. This constitutes a CWE\u2011346 origin\u2011validation weakness that enables a malicious site to issue cross\u2011origin, credentialed requests on the victim\u2019s behalf and read the resulting API responses, which can contain personally identifiable information, email addresses, administrative status, and other session\u2011sensitive data. The primary security impact is the confidential disclosure of authenticated user information.", "risk_and_exploitability": "The CVSS score of 7.1 indicates high severity. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a standard web request that an attacker can trigger by hosting a malicious page; no special privileges are required other than the victim\u2019s credentials being present in their browser. Exploitation involves sending a cross\u2011origin request to any /api/* endpoint with credentials enabled, receiving the reflected Origin header with Access\u2011Control\u2011Allow\u2011Credentials, and reading the authenticated response."}}}}, "created": "2026-04-22T03:30:06.538492+00:00", "updated": "2026-04-22T07:15:11.667711+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}