CVE-2026-41056

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier

Description The allowOrigin($allowAll=true) function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is utilized by the API endpoints 'plugin/API/get.json.php' and 'plugin/API/set.json.php', which manage user data retrieval, authentication, livestream credentials, and state-changing operations. Due to the application using a SameSite=None session cookie policy, external websites can perform credentialed cross-origin requests to read authenticated API responses. This can lead to the theft of personally identifiable information (PII), livestream keys, and unauthorized state changes on behalf of the victim.

Recommendations Update to a version containing commit caf705f38eae0ccfac4c3af1587781355d24495e. As a temporary workaround, restrict access to the 'plugin/API/get.json.php' and 'plugin/API/set.json.php' endpoints or disable the allowOrigin() function until the update is applied.