<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-41057 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-41057/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-41057/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo CORS Vulnerability (CVE-2026-41057)</title><link>https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-cors/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wwbn-avideo-cors/</guid><description>WWBN AVideo versions 29.0 and below are vulnerable to cross-origin credentialed requests to API endpoints due to an incomplete CORS origin validation fix, potentially exposing sensitive user data.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, is susceptible to a CORS vulnerability (CVE-2026-41057) in versions 29.0 and below. The vulnerability stems from an incomplete fix for CORS origin validation. Specifically, two code paths, <code>plugin/API/router.php</code> and <code>allowOrigin(true)</code> called by <code>get.json.php</code> and <code>set.json.php</code>, reflect arbitrary <code>Origin</code> headers, allowing credentials for all <code>/api/*</code> endpoints. This flaw enables attackers to bypass CORS restrictions and make cross-origin credentialed requests. A fix has been implemented in commit 5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13. This vulnerability could lead to the exposure of sensitive information, including user PII, email addresses, admin status, and session-sensitive data. Defenders should prioritize patching affected AVideo instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an AVideo instance running version 29.0 or below.</li>
<li>Attacker crafts a malicious webpage containing JavaScript code designed to make cross-origin requests to the vulnerable AVideo instance's <code>/api/*</code> endpoints.</li>
<li>The malicious webpage sets the <code>Origin</code> header to an arbitrary value.</li>
<li>Due to the incomplete CORS validation in <code>plugin/API/router.php</code>, the server reflects the arbitrary origin.</li>
<li>Alternatively, the malicious webpage triggers <code>get.json.php</code> or <code>set.json.php</code>, which call <code>allowOrigin(true)</code> and reflect the arbitrary origin with <code>Access-Control-Allow-Credentials: true</code>.</li>
<li>The attacker's JavaScript code sends a credentialed request (e.g., including cookies) to the <code>/api/*</code> endpoint.</li>
<li>The AVideo server processes the request and returns an authenticated response containing user PII, email, admin status, and session-sensitive data.</li>
<li>The attacker's malicious webpage extracts and exfiltrates the sensitive data from the response.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-41057 allows attackers to bypass CORS restrictions and access sensitive information from vulnerable AVideo instances. This includes user PII, email addresses, admin status, and session-sensitive data. The impact could range from unauthorized access to user accounts to complete compromise of the AVideo platform, depending on the specific API endpoint targeted and the permissions of the compromised user. The number of victims is dependent on the number of vulnerable AVideo instances exposed to the internet.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit <code>5e2b897ccac61eb6daca2dee4a6be3c4c2d93e13</code> to remediate CVE-2026-41057.</li>
<li>Deploy the Sigma rules provided to detect attempts to exploit this CORS vulnerability within web server logs.</li>
<li>Monitor web server logs for requests to <code>/api/*</code> endpoints with unusual or unexpected <code>Origin</code> headers.</li>
<li>Implement proper CORS validation on all AVideo instances, ensuring that only trusted origins are allowed to access sensitive API endpoints.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>CVE-2026-41057</category><category>CORS</category><category>AVideo</category><category>webserver</category></item></channel></rss>