CVE-2026-33759

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including watch_later and favorite types) are correctly hidden from listing endpoints via playlistsFromUser.json.php, but their contents are directly accessible through this endpoint by providing the sequential integer playlists_id parameter. Commit bb716fbece656c9fe39784f11e4e822b5867f1ca has a patch for the issue.

Affected Software

VendorProductVersion RangeStatus
WWBNAVideo<= 26.0affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization
  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References