Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33759
CVE-2026-33759
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including watch_later and favorite types) are correctly hidden from listing endpoints via playlistsFromUser.json.php, but their contents are directly accessible through this endpoint by providing the sequential integer playlists_id parameter. Commit bb716fbece656c9fe39784f11e4e822b5867f1ca has a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/bb716fbece656c9fe39784f11e4e822b5867f1canvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-75qq-68m8-pvfrnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-75qq-68m8-pvfrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33759ghsaADVISORY
News mentions
0No linked articles in our index yet.