CVE-2026-33296 Overview
CVE-2026-33296 is an open redirect vulnerability discovered in WWBN AVideo, a popular open source video platform. The vulnerability exists in the login flow where a user-supplied redirectUri parameter is reflected directly into a JavaScript document.location assignment without proper JavaScript-safe encoding. After a user completes the login popup flow, a timer callback executes the redirect using the unvalidated value, potentially sending victims to attacker-controlled websites.
Critical Impact
Attackers can craft malicious login links that redirect authenticated users to phishing sites or malware distribution points after successful login, leveraging the trust users place in the legitimate AVideo domain.
Affected Products
- WWBN AVideo versions prior to 26.0
- All AVideo deployments using the vulnerable login popup flow
- Self-hosted AVideo instances without the security patch applied
Discovery Timeline
- 2026-03-22 - CVE CVE-2026-33296 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33296
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-601: URL Redirection to Untrusted Site) in the AVideo login flow. The application accepts a redirectUri parameter that specifies where to redirect users after successful authentication. However, this parameter is inserted directly into JavaScript code without proper encoding or validation, creating an open redirect condition.
The vulnerable code path occurs in the login popup handler. When users authenticate through a popup window, a JavaScript timer monitors for the window to close. Once closed, the callback function redirects the user using the document.location property. Because the redirectUri value is output using PHP's print statement without JavaScript-safe encoding, attackers can inject arbitrary URLs that execute in the victim's browser context.
Root Cause
The root cause is insufficient output encoding when inserting user-controlled data into JavaScript code. The original implementation used a simple PHP print statement to output the redirect URI into a JavaScript string context. This approach fails to properly encode special characters that could break out of the intended string context or inject malicious URLs. The variable $safeRedirectUri was misleadingly named, as it was not actually sanitized or validated before being output to the client-side script.
Attack Vector
The attack leverages the network-accessible login functionality. An attacker crafts a malicious URL containing a redirectUri parameter pointing to an attacker-controlled domain. When shared with potential victims (via phishing emails, social media, or other channels), users clicking the link are presented with a legitimate AVideo login page. After successfully authenticating, the JavaScript timer detects the closed popup window and redirects the victim to the malicious site. This technique is particularly effective because the initial login occurs on the trusted AVideo domain, lending credibility to the attack.
// Vulnerable code - view/userLogin.php
var logintimer = setInterval(function() {
if (win.closed) {
clearInterval(logintimer);
- document.location = "<?php print $safeRedirectUri; ?>";
+ document.location = <?php echo json_encode($safeRedirectUri); ?>;
}
}, 1000);
$(document).ready(function() {
Source: GitHub Commit Update
The fix replaces the vulnerable print statement with json_encode(), which properly escapes the value for use in a JavaScript context, preventing URL injection attacks.
Detection Methods for CVE-2026-33296
Indicators of Compromise
- Unusual redirectUri parameters in login URLs pointing to external domains
- Server logs showing login requests with encoded or obfuscated redirect parameters
- User reports of unexpected redirects after completing login procedures
- HTTP referrer logs showing AVideo login pages leading to external suspicious domains
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block suspicious redirectUri parameters containing external domain references
- Monitor authentication logs for login requests with redirect parameters pointing outside the application domain
- Deploy URL analysis on login page parameters to identify potential phishing redirect attempts
- Configure browser security tools to alert on post-authentication redirects to untrusted domains
Monitoring Recommendations
- Enable verbose logging for login-related endpoints, specifically capturing redirect parameter values
- Set up alerts for login URLs containing redirectUri parameters with external or suspicious domains
- Monitor network traffic for HTTP redirects from authenticated sessions to unexpected destinations
- Implement user behavior analytics to detect unusual post-login navigation patterns
How to Mitigate CVE-2026-33296
Immediate Actions Required
- Upgrade WWBN AVideo to version 26.0 or later immediately
- Review web server access logs for signs of exploitation attempts using malicious redirectUri values
- Notify users about potential phishing attempts that may leverage this vulnerability
- Implement URL allowlisting for redirect destinations as an additional security layer
Patch Information
WWBN has released version 26.0 which addresses this vulnerability. The fix implements proper JavaScript-safe encoding using PHP's json_encode() function when outputting the redirect URI into the client-side script. The security patch is available in commit 68d0fbb19e382fe62e6cc7bd48b51ffa1d9e310e. Organizations should upgrade to version 26.0 or apply the specific patch to the view/userLogin.php file. For more details, see the GitHub Security Advisory GHSA-hj5h-5623-gwhw.
Workarounds
- Implement server-side URL validation to restrict redirect destinations to a predefined allowlist of trusted domains
- Deploy a reverse proxy or WAF rule to strip or validate redirectUri parameters before they reach the application
- Disable the login popup flow temporarily and use standard form-based authentication until patching is complete
- Add Content Security Policy headers to restrict navigation targets from JavaScript
# Configuration example - Apache mod_rewrite to strip external redirectUri
RewriteEngine On
RewriteCond %{QUERY_STRING} redirectUri=https?://(?!your-domain\.com) [NC]
RewriteRule ^(.*)$ $1? [R=302,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
