Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45ddePatch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95ExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95ExploitVendor Advisory
FAQ
What is CVE-2026-33685?
CVE-2026-33685 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any un...
How severe is CVE-2026-33685?
CVE-2026-33685 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33685?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.