Moderate severityNVD Advisory· Published Mar 23, 2026· Updated Mar 24, 2026
AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
CVE-2026-33685
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the plugin/AD_Server/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (reports.php) and CSV export (getCSV.php) both correctly enforce User::isAdmin(), but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j36m-74g2-7m95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33685ghsaADVISORY
- github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45ddeghsax_refsource_MISCWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.