CVE-2026-41057

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier

Description Incomplete CORS origin validation allows an attacker to make cross-origin credentialed requests to any endpoint under '/api/*'. This occurs because two code paths reflect arbitrary Origin headers with credentials allowed: the plugin/API/router.php file reflects any origin before application code executes, and the allowOrigin(true) function, used by get.json.php and set.json.php, reflects any origin with Access-Control-Allow-Credentials: true. This can lead to the exposure of authenticated responses containing session-sensitive data, email, admin status, and user PII (Personally Identifiable Information).

Recommendations Update to the version containing commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13.