CVE-2026-33296
Received Received - Intake
Open Redirect in WWBN AVideo Login Flow Enables Phishing

Publication date: 2026-03-22

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. Prior to version 26.0, WWBN/AVideo contains an open redirect vulnerability in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript `document.location` assignment without JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, sending the victim to an attacker-controlled site. Version 26.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-22
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33296
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33296 is an open redirect vulnerability in the WWBN AVideo open source video platform, specifically in versions prior to 26.0. The issue occurs in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript document.location assignment without proper JavaScript-safe encoding.

After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated redirectUri value, which can send the victim to an attacker-controlled site. This happens because the redirect URI is embedded directly into JavaScript code without escaping special characters, allowing attackers to manipulate the redirect target.

The vulnerability arises despite an attempt to validate the URL with a function called isSafeRedirectURL(), because it allows protocol-relative URLs and other bypass techniques such as subdomain confusion and path-prefix matching weaknesses.

The fix implemented in version 26.0 uses json_encode() to properly encode the redirect URI as a JSON string literal, preventing injection and unsafe redirects.

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker who crafts a malicious login URL containing a specially crafted redirectUri parameter. When a victim uses this URL and completes or closes the login popup, the main page silently redirects the victim to an attacker-controlled website.

The attacker-controlled site can be used for phishing attacks, presenting fake credential-harvesting pages that mimic the original site, potentially stealing user credentials or other sensitive information.

The attack requires user interaction (closing the login popup) but no authentication or special privileges, making it practical for targeted phishing campaigns.

The overall impact includes low confidentiality and integrity impact, no availability impact, and a moderate CVSS score of 5.1, indicating a moderate severity risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the application reflects a user-supplied redirectUri parameter directly into the JavaScript code without proper encoding. One way to test this is to send a crafted HTTP request with a malicious redirectUri parameter and observe if it is reflected in the response.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to test if the payload is reflected in the response:'}, {'type': 'list_item', 'content': 'curl -G https://victim.com/view/userLogin.php --data-urlencode "redirectUri=//evil.com"'}, {'type': 'paragraph', 'content': 'If the response contains the payload (//evil.com) inside the JavaScript code without proper encoding, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, a simple Python script can be used to automate this detection by checking if the payload is reflected in the response body:'}, {'type': 'list_item', 'content': 'import requests\nbase = "https://victim.com/view/userLogin.php"\npayload = "//evil.com"\nr = requests.get(base, params={"redirectUri": payload})\nassert payload in r.text, "Payload not reflected"\nprint("Reflected payload found in response")'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves properly encoding the redirectUri parameter using a JavaScript-safe encoding method such as PHP's json_encode() function before embedding it into JavaScript code. This prevents injection or manipulation of the redirect target."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, as a temporary workaround, you should ensure that any user-supplied redirectUri parameters are strictly validated and sanitized to disallow protocol-relative URLs and other bypass techniques.'}, {'type': 'paragraph', 'content': 'Also, consider monitoring and restricting suspicious redirectUri values and educating users about phishing risks related to unexpected redirects.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart