CVE-2026-33492

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo’s session start() function is susceptible to accepting arbitrary session IDs through the PHPSESSID GET parameter, setting them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. This, combined with the disabled session regeneration in User::login(), allows for a session fixation attack where an attacker can fix a victim's session ID before authentication and subsequently hijack the authenticated session. The requestComesFromSafePlace() function only verifies the HTTP REFERER matches the AVideo domain, which is easily satisfied by links within the platform. The session ID is exposed to same-origin JavaScript via objects/phpsessionid.json.php and stored in a global JavaScript variable in view/js/session.js. There is no session-to-IP or session-to-user-agent binding. An attacker can inject a link containing a pre-defined session ID, and when a victim clicks it while logged in, the attacker can hijack the session. This could lead to full account takeover, data access, privilege escalation, and lateral actions.

Recommendations AVideo versions up to and including 26.0: Re-enable session regeneration on login by uncommenting session regenerate id(); in objects/user.php at line 1317. AVideo versions up to and including 26.0: Remove GET-based session ID acceptance in objects/functionsPHP.php lines 344-383. AVideo versions up to and including 26.0: Remove session ID exposure from objects/phpsessionid.json.php and view/js/session.js.