CVE-2026-41057— AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41057
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AVideo has CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) that Exposes Authenticated API Responses
Source: NVD (National Vulnerability Database)
Vulnerability Description
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e64aad` is incomplete. Two separate code paths still reflect arbitrary `Origin` headers with credentials allowed for all `/api/*` endpoints: (1) `plugin/API/router.php` lines 4-8 unconditionally reflect any origin before application code runs, and (2) `allowOrigin(true)` called by `get.json.php` and `set.json.php` reflects any origin with `Access-Control-Allow-Credentials: true`. An attacker can make cross-origin credentialed requests to any API endpoint and read authenticated responses containing user PII, email, admin status, and session-sensitive data. Commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13 contains a fix.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
WWBN AVideo 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 29.0及之前版本存在访问控制错误漏洞,该漏洞源于CORS来源验证修复不完整,两个代码路径仍反射任意Origin标头,可能导致攻击者对任何API端点进行跨域凭据请求,读取包含用户PII的认证响应。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41057
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41057
请登录查看更多情报信息。
Same Patch Batch · WWBN · 2026-04-21 · 19 CVEs total
| CVE-2026-40911 | 10.0 CRITICAL | WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaSc |
| CVE-2026-41064 | 9.3 CRITICAL | AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) |
| CVE-2026-40909 | 8.7 HIGH | WWBN AVideo has a Path Traversal in Locale Save Endpoint that Enables Arbitrary PHP File W |
| CVE-2026-41055 | 8.6 HIGH | AVideo has an incomplete fix for CVE-2026-33039 (SSRF) |
| CVE-2026-40925 | 8.3 HIGH | WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeo |
| CVE-2026-41056 | 8.1 HIGH | AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enable |
| CVE-2026-41058 | 8.1 HIGH | AVideo has an incomplete fix for CVE-2026-33293 (Path Traversal) in AVideo |
| CVE-2026-41060 | 7.7 HIGH | AVideo's SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL |
| CVE-2026-40926 | 7.1 HIGH | WWBN AVideo Vulnerable to CSRF in Admin JSON Endpoints (Category CRUD, Plugin Update Scrip |
| CVE-2026-40907 | 6.5 MEDIUM | WWBN AVideo has IDOR in Live Restreams list.json.php that Exposes Other Users' Stream Keys |
| CVE-2026-41062 | 6.5 MEDIUM | WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in Rec |
| CVE-2026-40928 | 5.4 MEDIUM | AVideo: Missing CSRF Protection on State-Changing JSON Endpoints Enables Forced Comment Cr |
| CVE-2026-40929 | 5.4 MEDIUM | WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comme |
| CVE-2026-41063 | 5.4 MEDIUM | WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) |
| CVE-2026-41061 | 5.4 MEDIUM | WWBN AVideo Vulnerable to stored XSS via Unanchored Duration Regex in Video Encoder Receiv |
| CVE-2026-40908 | 5.3 MEDIUM | WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes De |
| CVE-2026-40935 | 5.3 MEDIUM | WWBN/AVideo has CAPTCHA Bypass via Attacker-Controlled Length Parameter and Missing Token |
| CVE-2026-41304 | WWBN AVideo vulnerable to RCE caused by clonesite plugin |
IV. Related Vulnerabilities
Same product: AVideo
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same vendor: WWBN
- CVE-2026-41304
WWBN AVideo vulnerable to RCE caused by clonesite plugin - CVE-2026-41064
AVideo has an incomplete fix for CVE-2026-33502 (Command Inj - CVE-2026-41063
WWBN AVideo has incomplete fix for CVE-2026-33500 (XSS) - CVE-2026-41062
WWBN/AVideo has an incomplete fix for a directory traversal - CVE-2026-41061
WWBN AVideo Vulnerable to stored XSS via Unanchored Duration
Same weakness: CWE-346
- CVE-2026-6508
RCE in TUBITAK BILGEM's Liderahenk - CVE-2026-43870
Apache Thrift: Node.js web_server.js multi-vulnerability - CVE-2026-7439
AgentFlow Local Web API Content-Type Validation Bypass - CVE-2026-41398
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted - CVE-2026-41393
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance an
V. Comments for CVE-2026-41057
No comments yet