Vulnerability DatabaseCVE-2026-29093
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-29093
March 06, 2026
WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who can reach port 11211 can read, modify, or flush session data — enabling session hijacking, admin impersonation, and mass session destruction without any application-level authentication. This issue has been patched in version 24.0.
Affected Packages
https://github.com/WWBN/AVideo.git (GITHUB):
Affected version(s) >=2.2 <24.0
Fix Suggestion:
Update to version 24.0
wwbn/avideo (PHP):
Affected version(s) >=10.4 <24.0
Fix Suggestion:
Update to version 24.0
Related Resources (4)
https://github.com/WWBN/AVideo/releases/tag/24.0
https://github.com/WWBN/AVideo/security/advisories/GHSA-xxpw-32hf-q8v9
https://nvd.nist.gov/vuln/detail/CVE-2026-29093
https://github.com/WWBN/AVideo
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Exposure of Resource to Wrong Sphere
CWE-668
Improper Authentication
CWE-287
EPSS
Base Score:
0.06