Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33761
CVE-2026-33761
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-j724-5c6c-68g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33761ghsaADVISORY
News mentions
0No linked articles in our index yet.