CVE-2026-33296
Open Redirect in WWBN AVideo Login Flow Enables Phishing
Publication date: 2026-03-22
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33296 is an open redirect vulnerability in the WWBN AVideo open source video platform, specifically in versions prior to 26.0. The issue occurs in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript document.location assignment without proper JavaScript-safe encoding.
After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated redirectUri value, which can send the victim to an attacker-controlled site. This happens because the redirect URI is embedded directly into JavaScript code without escaping special characters, allowing attackers to manipulate the redirect target.
The vulnerability arises despite an attempt to validate the URL with a function called isSafeRedirectURL(), because it allows protocol-relative URLs and other bypass techniques such as subdomain confusion and path-prefix matching weaknesses.
The fix implemented in version 26.0 uses json_encode() to properly encode the redirect URI as a JSON string literal, preventing injection and unsafe redirects.
How can this vulnerability impact me? :
This vulnerability can be exploited by an unauthenticated attacker who crafts a malicious login URL containing a specially crafted redirectUri parameter. When a victim uses this URL and completes or closes the login popup, the main page silently redirects the victim to an attacker-controlled website.
The attacker-controlled site can be used for phishing attacks, presenting fake credential-harvesting pages that mimic the original site, potentially stealing user credentials or other sensitive information.
The attack requires user interaction (closing the login popup) but no authentication or special privileges, making it practical for targeted phishing campaigns.
The overall impact includes low confidentiality and integrity impact, no availability impact, and a moderate CVSS score of 5.1, indicating a moderate severity risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the application reflects a user-supplied redirectUri parameter directly into the JavaScript code without proper encoding. One way to test this is to send a crafted HTTP request with a malicious redirectUri parameter and observe if it is reflected in the response.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to test if the payload is reflected in the response:'}, {'type': 'list_item', 'content': 'curl -G https://victim.com/view/userLogin.php --data-urlencode "redirectUri=//evil.com"'}, {'type': 'paragraph', 'content': 'If the response contains the payload (//evil.com) inside the JavaScript code without proper encoding, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, a simple Python script can be used to automate this detection by checking if the payload is reflected in the response body:'}, {'type': 'list_item', 'content': 'import requests\nbase = "https://victim.com/view/userLogin.php"\npayload = "//evil.com"\nr = requests.get(base, params={"redirectUri": payload})\nassert payload in r.text, "Payload not reflected"\nprint("Reflected payload found in response")'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade WWBN AVideo to version 26.0 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves properly encoding the redirectUri parameter using a JavaScript-safe encoding method such as PHP's json_encode() function before embedding it into JavaScript code. This prevents injection or manipulation of the redirect target."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, as a temporary workaround, you should ensure that any user-supplied redirectUri parameters are strictly validated and sanitized to disallow protocol-relative URLs and other bypass techniques.'}, {'type': 'paragraph', 'content': 'Also, consider monitoring and restricting suspicious redirectUri values and educating users about phishing risks related to unexpected redirects.'}] [1, 2]