Vulnerability-Lookup

CVE-2026-33761 (GCVE-0-2026-33761)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:24 – Updated: 2026-03-27 17:22

Title

AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

Summary

WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
	https://github.com/WWBN/AVideo/commit/83390ab1fa8…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	WWBN	AVideo	Affected: <= 26.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33761",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T17:21:06.213364Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T17:22:49.884Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 26.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:24:08.051Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
        }
      ],
      "source": {
        "advisory": "GHSA-j724-5c6c-68g5",
        "discovery": "UNKNOWN"
      },
      "title": "AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33761",
    "datePublished": "2026-03-27T14:24:08.051Z",
    "dateReserved": "2026-03-23T18:30:14.126Z",
    "dateUpdated": "2026-03-27T17:22:49.884Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33761\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-27T15:16:58.223\",\"lastModified\":\"2026-03-31T18:38:39.170\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"26.0\",\"matchCriteriaId\":\"774C24F1-9D26-484F-B931-1DA107C8F588\"}]}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33761\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-27T17:21:06.213364Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-27T17:22:02.975Z\"}}], \"cna\": {\"title\": \"AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings\", \"source\": {\"advisory\": \"GHSA-j724-5c6c-68g5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 26.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431\", \"name\": \"https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-27T14:24:08.051Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33761\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T17:22:49.884Z\", \"dateReserved\": \"2026-03-23T18:30:14.126Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-27T14:24:08.051Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-J724-5C6C-68G5

Vulnerability from github – Published: 2026-03-26 18:06 – Updated: 2026-03-27 21:38

Summary

AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

Details

Summary

Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.

Details

The vulnerable files are:

1. plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

2. plugin/Scheduler/View/Emails_messages/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Emails_messages.php';
header('Content-Type: application/json');

$rows = Emails_messages::getAll();
$total = Emails_messages::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

3. plugin/Scheduler/View/Email_to_user/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');

$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

None of these files check authentication before calling getAll(), which executes SELECT * FROM {table} and returns the entire table contents.

In contrast, every sibling endpoint requires admin access. For example, plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15:

if(!User::isAdmin()){
    $obj->msg = "You cant do this";
    die(json_encode($obj));
}

The Scheduler_commands table (defined in plugin/Scheduler/Objects/Scheduler_commands.php) stores fields including callbackURL (internal server URLs with query parameters), parameters (JSON blobs containing user IDs and email configuration), status, timezone, and cron scheduling fields. The Emails_messages table stores subject and message (full HTML email bodies composed by admins). The Email_to_user table maps users_id to emails_messages_id, revealing which users are targeted by which email campaigns.

PoC

# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters
curl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'

# 2. Retrieve all admin-composed email messages — exposes subject and HTML body
curl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'

# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails
curl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'

All three return full database contents with no authentication required. No session cookie or token is needed.

Impact

An unauthenticated attacker can:

Enumerate internal infrastructure: callbackURL fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures
Read admin email campaigns: Full email subjects and HTML message bodies composed by administrators are exposed
Map user targeting: The Email_to_user table reveals which users_id values are targeted by which email campaigns, enabling user enumeration and profiling
Gather reconnaissance: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks

The information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).

Recommended Fix

Add User::isAdmin() checks to all three list.json.php files, matching the pattern used by sibling endpoints. For each file, add the following after the require_once lines and before the data retrieval:

plugin/Scheduler/View/Scheduler_commands/list.json.php:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

if(!User::isAdmin()){
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

Apply the same pattern to Emails_messages/list.json.php and Email_to_user/list.json.php.

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33761"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T18:06:39Z",
    "nvd_published_at": "2026-03-27T15:16:58Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Emails_messages.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Emails_messages::getAll();\n$total = Emails_messages::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Email_to_user.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\n$rows = Email_to_user::getAll();\n$total = Email_to_user::getTotal();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e, ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n    $obj-\u003emsg = \"You cant do this\";\n    die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks \u2014 exposes internal callbackURLs and parameters\ncurl -s \u0027https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php\u0027 | jq \u0027.data[] | {id, callbackURL, parameters, status, type}\u0027\n\n# 2. Retrieve all admin-composed email messages \u2014 exposes subject and HTML body\ncurl -s \u0027https://target/plugin/Scheduler/View/Emails_messages/list.json.php\u0027 | jq \u0027.data[] | {id, subject, message}\u0027\n\n# 3. Retrieve user-to-email targeting mappings \u2014 reveals which users receive which emails\ncurl -s \u0027https://target/plugin/Scheduler/View/Email_to_user/list.json.php\u0027 | jq \u0027.data[] | {users_id, emails_messages_id, sent_at}\u0027\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n\u003c?php\nrequire_once \u0027../../../../videos/configuration.php\u0027;\nrequire_once $global[\u0027systemRootPath\u0027] . \u0027plugin/Scheduler/Objects/Scheduler_commands.php\u0027;\nheader(\u0027Content-Type: application/json\u0027);\n\nif(!User::isAdmin()){\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Not authorized\u0027]));\n}\n\n$rows = Scheduler_commands::getAll();\n?\u003e\n{\"data\": \u003c?php echo json_encode($rows); ?\u003e}\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.",
  "id": "GHSA-j724-5c6c-68g5",
  "modified": "2026-03-27T21:38:00Z",
  "published": "2026-03-26T18:06:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33761"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings"
}

FKIE_CVE-2026-33761

Vulnerability from fkie_nvd - Published: 2026-03-27 15:16 - Updated: 2026-03-31 18:38

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431	Patch
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	wwbn	avideo	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588",
              "versionEndIncluding": "26.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch."
    }
  ],
  "id": "CVE-2026-33761",
  "lastModified": "2026-03-31T18:38:39.170",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-27T15:16:58.223",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33761 (GCVE-0-2026-33761)

GHSA-J724-5C6C-68G5

Summary

Details

PoC

Impact

Recommended Fix

FKIE_CVE-2026-33761

Tags

Sightings

Nomenclature