CVE-2026-33501 — Missing Authorization in Avideo

CWE-862 — Missing Authorization4 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.2%

top 58.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wwbn Avideo

Timeline

Latest updateMar 20

PublishedMar 23

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDwwbn/avideo26.0

▶Packagistwwbn/avideo26.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin↗2026-03-20

▶

GHSA

AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin↗2026-03-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33501 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶