CVE-2026-29093
HIGH
GHSA-xxpw-32hf-q8v9
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data - enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.
Analysis
Memcached session storage exposure in AVideo prior to version 24.0 allows unauthenticated remote attackers to read, modify, or delete user sessions by accessing the publicly exposed memcached service on port 11211. An attacker with network access to this port can hijack admin accounts, impersonate users, or destroy all active sessions without any authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all WWBN AVideo deployments running versions prior to 24.0 and restrict network access to port 11211 using firewall rules (allow only internal application servers). Within 7 days: Upgrade to AVideo version 24.0 or later, which remedies the insecure docker-compose configuration, or disable memcached session storage in favor of secure alternatives. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today