CVE-2026-33764
published 2026-03-27CVE-2026-33764: WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an…
PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.21%
11.8th percentile
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users' private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wwbn | avideo | <= 26.0 | — |
| wwbn | avideo | 0 – 26.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
ghsa·2026-03-26
CVE-2026-33764 [MEDIUM] CWE-639 AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
## Summary
The AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users' private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information.
## Details
In `plugin/AI/save.json.php`, the authorization flow checks that the user can edit the *target video* (`Video::canEdit($videos_id)` at line 23), but loads the AI response ob
OSV
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
osv·2026-03-26
CVE-2026-33764 [MEDIUM] AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions
## Summary
The AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users' private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information.
## Details
In `plugin/AI/save.json.php`, the authorization flow checks that the user can edit the *target video* (`Video::canEdit($videos_id)` at line 23), but loads the AI response ob
No detection rules found.
No public exploits indexed.
2026-03-27
Published