CVE-2026-33043

Name of the Vulnerable Software and Affected Versions AVideo versions 25.0 and below

Description AVideo, an open source video platform, has an issue where the /objects/phpsessionid.json.php endpoint exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, which enables cross-origin session theft and full account takeover. An attacker can host a malicious page that, when visited by a logged-in AVideo user, steals their PHP session ID due to the permissive CORS policy. This allows the attacker to impersonate the user with full privileges. The vulnerable file is objects/phpsessionid.json.php, and the vulnerable function is allowOrigin(). The allowOrigin() function is located in objects/functions.php (line ~2648). The vulnerability allows an attacker to make a credentialed cross-origin request and read the session ID.

Recommendations Versions prior to 26.0 should be updated.