Vulnerability-Lookup

CVE-2026-33501 (GCVE-0-2026-33501)

Vulnerability from cvelistv5 – Published: 2026-03-23 16:28 – Updated: 2026-03-25 14:18

Title

AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/b583acdc9a9…	x_refsource_MISC
	https://github.com/WWBN/AVideo/commit/dc3c8257346…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33501",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T14:18:00.443486Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:18:32.194Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-23T16:28:20.513Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"
        }
      ],
      "source": {
        "advisory": "GHSA-96qp-8cmq-jvq8",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33501",
    "datePublished": "2026-03-23T16:28:20.513Z",
    "dateReserved": "2026-03-20T16:59:08.888Z",
    "dateUpdated": "2026-03-25T14:18:32.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33501\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-23T17:16:51.490\",\"lastModified\":\"2026-03-24T18:08:01.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.\"},{\"lang\":\"es\",\"value\":\"WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint \u0027plugin/Permissions/View/Users_groups_permissions/list.json.php\u0027 carece de cualquier verificaci\u00f3n de autenticaci\u00f3n o autorizaci\u00f3n, permitiendo a usuarios no autenticados recuperar la matriz de permisos completa que mapea grupos de usuarios a plugins. Todos los endpoints hermanos en el mismo directorio (\u0027add.json.php\u0027, \u0027delete.json.php\u0027, \u0027index.php\u0027) requieren correctamente \u0027User::isAdmin()\u0027, indicando que esto es un descuido. Los commits dc3c825734628bb32550d0daa125f05bacb6829c y b583acdc9a9d1eab461543caa363e1a104fb4516 contienen parches.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33501\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T14:18:00.443486Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T14:18:26.592Z\"}}], \"cna\": {\"title\": \"AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin\", \"source\": {\"advisory\": \"GHSA-96qp-8cmq-jvq8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516\", \"name\": \"https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c\", \"name\": \"https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-23T16:28:20.513Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33501\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T14:18:32.194Z\", \"dateReserved\": \"2026-03-20T16:59:08.888Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-23T16:28:20.513Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-96QP-8CMQ-JVQ8

Vulnerability from github – Published: 2026-03-20 20:57 – Updated: 2026-03-25 20:31

Summary

AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin

Details

Summary

The endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (add.json.php, delete.json.php, index.php) properly require User::isAdmin(), indicating this is an oversight.

Details

The vulnerable file at plugin/Permissions/View/Users_groups_permissions/list.json.php:1-7 contains:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Permissions/Objects/Users_groups_permissions.php';
header('Content-Type: application/json');

$rows = Users_groups_permissions::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

This calls ObjectYPT::getAll() (defined in objects/Object.php:98-111), which executes:

$sql = "SELECT * FROM  " . static::getTableName() . " WHERE 1=1 ";
$sql .= self::getSqlFromPost();

This returns all rows from the users_groups_permissions table as JSON with no access control.

Compare with the sibling add.json.php:10-15 and delete.json.php:9-14, which both enforce:

$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
if(!User::isAdmin()){
    $obj->msg = "You cant do this";
    die(json_encode($obj));
}

Similarly, index.php:6-8 (the admin page that loads this data via AJAX) checks:

if (!User::isAdmin()) {
    forbiddenPage("You can not do this");
    exit;
}

No .htaccess or web server configuration restricts direct access to this endpoint.

PoC

# Retrieve complete permission mappings without authentication
curl -s https://target/plugin/Permissions/View/Users_groups_permissions/list.json.php

Expected response (admin-only data):

{"data": [{"id":"1","name":null,"users_groups_id":"2","plugins_id":"5","type":"1","status":"a"}, ...]}

Each row reveals: - users_groups_id — numeric ID of a user group - plugins_id — numeric ID of an installed plugin - type — the permission level granted - status — whether the permission is active (a) or inactive

The getSqlFromPost() method also processes $_POST['sort'] and $_GET parameters, allowing an attacker to paginate and sort results to extract all data systematically.

Impact

An unauthenticated attacker can enumerate the complete authorization model of the AVideo instance:

All user group IDs and which plugins each group can access
All installed plugin IDs and their permission configurations
Permission types and active/inactive status for each group-plugin pair

This information provides a detailed roadmap of the application's authorization architecture, significantly aiding targeted privilege escalation, as an attacker would know exactly which groups have access to which plugins and what permission types are assigned. While not directly exploitable for data modification, it reduces the attacker's effort for follow-up attacks.

Recommended Fix

Add the same admin authorization check used by the sibling endpoints. In plugin/Permissions/View/Users_groups_permissions/list.json.php:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Permissions/Objects/Users_groups_permissions.php';
header('Content-Type: application/json');

$plugin = AVideoPlugin::loadPluginIfEnabled('Permissions');
if(!User::isAdmin()){
    die(json_encode(['error' => true, 'msg' => 'You cant do this']));
}

$rows = Users_groups_permissions::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:57:43Z",
    "nvd_published_at": "2026-03-23T17:16:51Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight.\n\n## Details\n\nThe vulnerable file at `plugin/Permissions/View/Users_groups_permissions/list.json.php:1-7` contains:\n\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Permissions/Objects/Users_groups_permissions.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Users_groups_permissions::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nThis calls `ObjectYPT::getAll()` (defined in `objects/Object.php:98-111`), which executes:\n\n```php\n$sql = \"SELECT * FROM  \" . static::getTableName() . \" WHERE 1=1 \";\n$sql .= self::getSqlFromPost();\n```\n\nThis returns all rows from the `users_groups_permissions` table as JSON with no access control.\n\nCompare with the sibling `add.json.php:10-15` and `delete.json.php:9-14`, which both enforce:\n\n```php\n$plugin = AVideoPlugin::loadPluginIfEnabled(\u0027Permissions\u0027);\nif(!User::isAdmin()){\n    $obj-\u003emsg = \"You cant do this\";\n    die(json_encode($obj));\n}\n```\n\nSimilarly, `index.php:6-8` (the admin page that loads this data via AJAX) checks:\n\n```php\nif (!User::isAdmin()) {\n    forbiddenPage(\"You can not do this\");\n    exit;\n}\n```\n\nNo `.htaccess` or web server configuration restricts direct access to this endpoint.\n\n## PoC\n\n```bash\n# Retrieve complete permission mappings without authentication\ncurl -s https://target/plugin/Permissions/View/Users_groups_permissions/list.json.php\n```\n\n**Expected response (admin-only data):**\n```json\n{\"data\": [{\"id\":\"1\",\"name\":null,\"users_groups_id\":\"2\",\"plugins_id\":\"5\",\"type\":\"1\",\"status\":\"a\"}, ...]}\n```\n\nEach row reveals:\n- `users_groups_id` \u2014 numeric ID of a user group\n- `plugins_id` \u2014 numeric ID of an installed plugin\n- `type` \u2014 the permission level granted\n- `status` \u2014 whether the permission is active (`a`) or inactive\n\nThe `getSqlFromPost()` method also processes `$_POST[\u0027sort\u0027]` and `$_GET` parameters, allowing an attacker to paginate and sort results to extract all data systematically.\n\n## Impact\n\nAn unauthenticated attacker can enumerate the complete authorization model of the AVideo instance:\n\n- **All user group IDs** and which plugins each group can access\n- **All installed plugin IDs** and their permission configurations\n- **Permission types and active/inactive status** for each group-plugin pair\n\nThis information provides a detailed roadmap of the application\u0027s authorization architecture, significantly aiding targeted privilege escalation, as an attacker would know exactly which groups have access to which plugins and what permission types are assigned. While not directly exploitable for data modification, it reduces the attacker\u0027s effort for follow-up attacks.\n\n## Recommended Fix\n\nAdd the same admin authorization check used by the sibling endpoints. In `plugin/Permissions/View/Users_groups_permissions/list.json.php`:\n\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Permissions/Objects/Users_groups_permissions.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$plugin = AVideoPlugin::loadPluginIfEnabled(\u0027Permissions\u0027);\nif(!User::isAdmin()){\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027You cant do this\u0027]));\n}\n\n$rows = Users_groups_permissions::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```",
  "id": "GHSA-96qp-8cmq-jvq8",
  "modified": "2026-03-25T20:31:42Z",
  "published": "2026-03-20T20:57:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin"
}

FKIE_CVE-2026-33501

Vulnerability from fkie_nvd - Published: 2026-03-23 17:16 - Updated: 2026-03-24 18:08

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c	Patch
security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches."
    },
    {
      "lang": "es",
      "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint \u0027plugin/Permissions/View/Users_groups_permissions/list.json.php\u0027 carece de cualquier verificaci\u00f3n de autenticaci\u00f3n o autorizaci\u00f3n, permitiendo a usuarios no autenticados recuperar la matriz de permisos completa que mapea grupos de usuarios a plugins. Todos los endpoints hermanos en el mismo directorio (\u0027add.json.php\u0027, \u0027delete.json.php\u0027, \u0027index.php\u0027) requieren correctamente \u0027User::isAdmin()\u0027, indicando que esto es un descuido. Los commits dc3c825734628bb32550d0daa125f05bacb6829c y b583acdc9a9d1eab461543caa363e1a104fb4516 contienen parches."
    }
  ],
  "id": "CVE-2026-33501",
  "lastModified": "2026-03-24T18:08:01.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-23T17:16:51.490",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33501 (GCVE-0-2026-33501)

GHSA-96QP-8CMQ-JVQ8

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33501

Tags

Sightings

Nomenclature