CVE-2026-33716 — AI Deep Analysis Summary

🚨 **Essence**: CVE-2026-33716 is an **Authorization Bypass** in WWBN AVideo. <br>💥 **Consequences**: Attackers can manipulate the `streamerURL` parameter in `control.json.php`.…

🛡️ **Root Cause**: **CWE-287** (Improper Authentication).…

🏢 **Vendor**: WWBN. <br>📦 **Product**: AVideo (PHP-based video platform). <br>📅 **Affected Versions**: **26.0 and earlier** versions.

🕵️ **Attacker Actions**: <br>1. **Bypass Auth**: Skip login/token verification entirely. <br>2. **Control Streams**: Hijack or redirect **live streams**. <br>3.…

⚡ **Threshold**: **LOW**. <br>🔓 **Auth**: None required (**PR:N**). <br>🌐 **Network**: Network accessible (**AV:N**). <br>👤 **UI**: No user interaction needed (**UI:N**).

📜 **Public Exploit**: **No**. <br>🚫 **PoCs**: The `pocs` array is empty in the data. <br>⚠️ **Status**: Theoretical risk, but CVSS indicates high severity.

🔍 **Self-Check**: <br>1. Scan for `control.json.php` endpoint. <br>2. Check AVideo version (≤ 26.0). <br>3. Look for unauthenticated access to streamer URL parameters.

✅ **Fixed**: **Yes**. <br>🔗 **Patch**: Commit `388fcd57dbd16f6cb3ebcdf1d08cf2b929941128` on GitHub. <br>📢 **Advisory**: GHSA-9hv9-gvwm-95f2.

🛡️ **No Patch Workaround**: <br>1. **Block Access**: Restrict access to `standAloneFiles/` directory via WAF/Nginx. <br>2. **Disable**: If not used, disable live streaming features. <br>3.…

🔥 **Urgency**: **HIGH**. <br>🚨 **Priority**: Immediate patching recommended. <br>📉 **Risk**: CVSS 3.1 vector shows **High** integrity/availability impact with **Low** complexity. Do not ignore!