CVE Tools
Home/Vulnerability/CVE-2026-41056

CVE-2026-41056

AVideos has CORS Origin Reflection with Credentials on Sensitive API Endpoints that Enables Cross-Origin Account Takeover

Published: Apr 21, 2026Updated: Apr 21, 2026 Sources: CVE List NVD
NVD MITRE
8.1CVSS
HIGH

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in `objects/functions.php` reflects any arbitrary `Origin` header back in `Access-Control-Allow-Origin` along with `Access-Control-Allow-Credentials: true`. This function is called by both `plugin/API/get.json.php` and `plugin/API/set.json.php` — the primary API endpoints that handle user data retrieval, authentication, livestream credentials, and state-changing operations. Combined with the application's `SameSite=None` session cookie policy, any website can make credentialed cross-origin requests and read authenticated API responses, enabling theft of user PII, livestream keys, and performing state changes on behalf of the victim. Commit caf705f38eae0ccfac4c3af1587781355d24495e contains a fix.

EPSS Score
N/A
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
No Fix Available

CVSS Vector Breakdown

AV:NAC:LPR:NUI:RS:UC:HI:HA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:NAvailability
None

Weaknesses

CWE-942

Affected Products

AVideo
WWBN

Exploitability

No known exploits, KEV entries, or remediation guidance available for this vulnerability yet.

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-ccq9-r5cw-5hwq
github.com
https://github.com/WWBN/AVideo/commit/caf705f38eae0ccfac4c3af1587781355d24495e
github.com

Timeline

Published
Apr 21, 2026
Last Updated
Apr 21, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-41056 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
AI-powered analysis
Plain-language impact assessment and exploitation scenario
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows