← Back

CVE-2026-29093

nvd nist
Published: Mar 6, 2026Modified: Mar 16, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.

Affected (1)

Products: Wwbn: Avideo
Wwbn
1 product
Avideo
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Avideo
Before 24.0

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-668
Exposure of Resource to Wrong Sphere
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

References (2)

Source: security-advisories@github.com
ProductRelease Notes
Source: security-advisories@github.com
Vendor AdvisoryExploit

Timeline

No history available yet.