Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Mar 31, 2026
CVE-2026-33761
CVE-2026-33761
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wwbn/avideoPackagist | <= 26.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431nvdPatchWEB
- github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-j724-5c6c-68g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33761ghsaADVISORY
News mentions
0No linked articles in our index yet.