CVE-2026-33716

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that allows an attacker to redirect token verification requests to a server they control. By returning a specific response ({"error": false}), an attacker can bypass authentication and gain unauthenticated control over any live stream on the platform. This control includes the ability to drop active publishers, start or stop recordings, and probe stream existence. The commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch to address this issue.

Recommendations Versions up to and including 26.0 should be updated to commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128.