CVE-2026-33761

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.

Affected Software

VendorProductVersion RangeStatus
WWBNAVideo<= 26.0affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization
  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References