CVE-2026-33501

MEDIUM EPSS 34.4%
Published Mar 23, 20263mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
34.4% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-862 Missing Authorization Authorization

Affected Products 1

VendorProductVersionRange
wwbnavideo* ≤26.0

References 3

  • github.com https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516
    Patch
  • github.com https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c
    Patch
  • github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516
    Patch
  • github.com https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c
    Patch