VYPR
Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026

AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

CVE-2026-33685

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/AD_Server/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (reports.php) and CSV export (getCSV.php) both correctly enforce User::isAdmin(), but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
wwbn/avideoPackagist
<= 26.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.