CVE-2026-33685
MEDIUM EPSS 23.2%
Published Mar 23, 20263mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Published Mar 23, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago
Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
23.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-862 Missing Authorization Authorization
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| wwbn | avideo | * | ≤26.0 |
References 2
- github.com https://github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45dde
- github.com https://github.com/WWBN/AVideo/security/advisories/GHSA-j36m-74g2-7m95
Remediation
- github.com https://github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45dde