Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431Patch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5ExploitVendor Advisory
FAQ
What is CVE-2026-33761?
CVE-2026-33761 is a vulnerability with a CVSS score of 5.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in...
How severe is CVE-2026-33761?
CVE-2026-33761 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33761?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.