CVE-2026-33685

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Mar 23, 2026

Vendor unknown

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.

References

https://github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45dde
https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95
https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95