CVE-2026-33296

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 26.0

Description WWBN AVideo, an open source video platform, contains an open redirect issue in the login process. A user-supplied redirectUri parameter is directly included in a JavaScript document.location assignment without proper encoding. After a user completes the login popup, a timer callback uses this unvalidated value to redirect the user to a site controlled by an attacker. The vulnerable code is located in view/userLogin.php, where the application accepts a redirectUri GET parameter, passes it through the isSafeRedirectURL() function, and stores the result in $safeRedirectUri. This value is then embedded into a JavaScript block without appropriate encoding, allowing for exploitation through protocol-relative URLs like //evil.com or subdomain confusion techniques. The attack requires a victim to follow a crafted link and interact with the login popup, enabling phishing attacks.

Recommendations Versions prior to 26.0 should be updated to version 26.0 or later.