CVE-2026-29093CRITICAL 9.8EPSS p38.2%

CVE-2026-29093CVE-2026-29093

Description

WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.49% probability of exploitation · percentile 38.2% · 2026-06-19T12:03:05Z
Published2026-03-06
Last modified2026-03-16

Underlying weaknesses· 2

CWE-287CWE-668

References

  1. https://github.com/WWBN/AVideo/releases/tag/24.0
  2. https://github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessExposure of Resource to Wrong Spherecwe-6680%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33037
CVE
CVE-2026-33043
CVE
CVE-2026-33038
CVE
CVE-2026-34394
CVE
CVE-2026-33649
CVE
CVE-2026-40925
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.