Vulnerability Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users' private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wwbn | Avideo | <= 26.0 |
Related Weaknesses (CWE)
References
- https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142Patch
- https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrhExploitVendor Advisory
- https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrhExploitVendor Advisory
FAQ
What is CVE-2026-33764?
CVE-2026-33764 is a vulnerability with a CVSS score of 4.3 (MEDIUM). WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` pa...
How severe is CVE-2026-33764?
CVE-2026-33764 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33764?
Check the references section above for vendor advisories and patch information. Affected products include: Wwbn Avideo.