EUVD-2026-14502
GHSA-9hv9-gvwm-95f2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
3Tags
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the standalone live stream control endpoint at `plugin/Live/standAloneFiles/control.json.php` accepts a user-supplied `streamerURL` parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns `{"error": false}`, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence. Commit 388fcd57dbd16f6cb3ebcdf1d08cf2b929941128 contains a patch.
Analysis
WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running WWBN AVideo and isolate affected instances from public internet access; disable live streaming functionality if business-critical patches cannot be applied immediately. Within 7 days: Implement network segmentation to restrict access to AVideo streaming endpoints to authorized networks only; deploy WAF rules to block requests with suspicious 'streamerURL' parameters; monitor stream access logs for anomalous authentication patterns. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today