PHP RCE (CVE-2026-33716)

Overview

A critical security vulnerability has been discovered in WWBN AVideo, an open-source video platform. This flaw, tracked as CVE-2026-33716, allows an unauthenticated attacker to completely bypass authentication and take control of live streams on affected systems.

Vulnerability Details

In WWBN AVideo versions 26.0 and earlier, a specific live stream control endpoint (plugin/Live/standAloneFiles/control.json.php) is improperly secured. This endpoint accepts a user-controlled parameter called streamerURL. An attacker can manipulate this parameter to redirect the server’s authentication token verification request to a malicious server under their control. This malicious server can be configured to always return a successful authentication response, tricking the AVideo platform into granting full access.

Impact and Risks

The impact of this vulnerability is severe. By exploiting this flaw, an attacker can:

• Gain unauthenticated administrative control over any live stream on the platform.
• Drop or disconnect active publishers and streams.
• Start or stop stream recordings without authorization.
• Probe the system to discover the existence of specific streams. This can lead to complete disruption of live streaming services, unauthorized access to private streams, and data integrity breaches. For context on how such vulnerabilities can lead to real-world incidents, recent data breach reports are available at breach reports.

Affected Versions

All versions of WWBN AVideo up to and including version 26.0 are vulnerable.

Remediation and Mitigation

The primary and most critical action is to apply the official patch immediately.

1. Patch Immediately: The vulnerability has been fixed in the source code. Administrators must update their installation by applying the patch from commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128. If you are using a forked or custom version, ensure this security fix is integrated.
2. Update to a Secure Version: Upgrade to the latest version of WWBN AVideo released after this fix. Always obtain software from the official repository.
3. Temporary Mitigation: If immediate patching is not possible, consider restricting network access to the AVideo application or disabling the standalone live stream feature until the update can be applied. However, patching is the only complete solution.

Stay informed about critical updates and other cybersecurity threats by following our security news section. This vulnerability underscores the importance of promptly applying security patches to all internet-facing software.