CVE-2026-33761

MEDIUM NVD

CVSS Score 5.3

Severity MEDIUM

Published Mar 27, 2026

Vendor unknown

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.

References

https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431
https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5