{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41057/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41057"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["CVE-2026-41057","CORS","AVideo","webserver"],"_cs_type":"advisory","_cs_vendors":["WWBN"],"content_html":"\u003cp\u003eWWBN AVideo, an open-source video platform, is susceptible to a CORS vulnerability (CVE-2026-41057) in versions 29.0 and below. The vulnerability stems from an incomplete fix for CORS origin validation. Specifically, two code paths, \u003ccode\u003eplugin/API/router.php\u003c/code\u003e and \u003ccode\u003eallowOrigin(true)\u003c/code\u003e called by \u003ccode\u003eget.json.php\u003c/code\u003e and \u003ccode\u003eset.json.php\u003c/code\u003e, reflect arbitrary \u003ccode\u003eOrigin\u003c/code\u003e headers, allowing credentials for all \u003ccode\u003e/api/*\u003c/code\u003e endpoints. This flaw enables attackers to bypass CORS restrictions and make cross-origin credentialed requests. A fix has been implemented in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. This vulnerability could lead to the exposure of sensitive information, including user PII, email addresses, admin status, and session-sensitive data. Defenders should prioritize patching affected AVideo instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an AVideo instance running version 29.0 or below.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious webpage containing JavaScript code designed to make cross-origin requests to the vulnerable AVideo instance's \u003ccode\u003e/api/*\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eThe malicious webpage sets the \u003ccode\u003eOrigin\u003c/code\u003e header to an arbitrary value.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete CORS validation in \u003ccode\u003eplugin/API/router.php\u003c/code\u003e, the server reflects the arbitrary origin.\u003c/li\u003e\n\u003cli\u003eAlternatively, the malicious webpage triggers \u003ccode\u003eget.json.php\u003c/code\u003e or \u003ccode\u003eset.json.php\u003c/code\u003e, which call \u003ccode\u003eallowOrigin(true)\u003c/code\u003e and reflect the arbitrary origin with \u003ccode\u003eAccess-Control-Allow-Credentials: true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker's JavaScript code sends a credentialed request (e.g., including cookies) to the \u003ccode\u003e/api/*\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe AVideo server processes the request and returns an authenticated response containing user PII, email, admin status, and session-sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker's malicious webpage extracts and exfiltrates the sensitive data from the response.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41057 allows attackers to bypass CORS restrictions and access sensitive information from vulnerable AVideo instances. This includes user PII, email addresses, admin status, and session-sensitive data. The impact could range from unauthorized access to user accounts to complete compromise of the AVideo platform, depending on the specific API endpoint targeted and the permissions of the compromised user. The number of victims is dependent on the number of vulnerable AVideo instances exposed to the internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit \u003ccode\u003e5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13\u003c/code\u003e to remediate CVE-2026-41057.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect attempts to exploit this CORS vulnerability within web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/api/*\u003c/code\u003e endpoints with unusual or unexpected \u003ccode\u003eOrigin\u003c/code\u003e headers.\u003c/li\u003e\n\u003cli\u003eImplement proper CORS validation on all AVideo instances, ensuring that only trusted origins are allowed to access sensitive API endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-cors/","summary":"WWBN AVideo versions 29.0 and below are vulnerable to cross-origin credentialed requests to API endpoints due to an incomplete CORS origin validation fix, potentially exposing sensitive user data.","title":"WWBN AVideo CORS Vulnerability (CVE-2026-41057)","url":"https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-cors/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-41057","version":"https://jsonfeed.org/version/1.1"}