Tag
AVideo versions 26.0 and earlier are vulnerable to session fixation due to accepting arbitrary session IDs via the `PHPSESSID` GET parameter and disabled session regeneration, allowing attackers to hijack authenticated sessions.