{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33501", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.888Z", "datePublished": "2026-03-23T16:28:20.513Z", "dateUpdated": "2026-03-25T14:18:32.194Z"}, "containers": {"cna": {"title": "AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"}, {"name": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"}, {"name": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T16:28:20.513Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches."}], "source": {"advisory": "GHSA-96qp-8cmq-jvq8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:18:00.443486Z", "id": "CVE-2026-33501", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:18:32.194Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33501", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-20T16:59:08.888Z", "datePublished": "2026-03-23T16:28:20.513Z", "dateUpdated": "2026-03-25T14:18:32.194Z"}, "containers": {"cna": {"title": "AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"}, {"name": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"}, {"name": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T16:28:20.513Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches."}], "source": {"advisory": "GHSA-96qp-8cmq-jvq8", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33501", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:18:00.443486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:18:26.592Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint `plugin/Permissions/View/Users_groups_permissions/list.json.php` lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (`add.json.php`, `delete.json.php`, `index.php`) properly require `User::isAdmin()`, indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint 'plugin/Permissions/View/Users_groups_permissions/list.json.php' carece de cualquier verificaci\u00f3n de autenticaci\u00f3n o autorizaci\u00f3n, permitiendo a usuarios no autenticados recuperar la matriz de permisos completa que mapea grupos de usuarios a plugins. Todos los endpoints hermanos en el mismo directorio ('add.json.php', 'delete.json.php', 'index.php') requieren correctamente 'User::isAdmin()', indicando que esto es un descuido. Los commits dc3c825734628bb32550d0daa125f05bacb6829c y b583acdc9a9d1eab461543caa363e1a104fb4516 contienen parches."}], "id": "CVE-2026-33501", "lastModified": "2026-03-24T18:08:01.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T17:16:51.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/b583acdc9a9d1eab461543caa363e1a104fb4516"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WWBN/AVideo/commit/dc3c825734628bb32550d0daa125f05bacb6829c"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-96qp-8cmq-jvq8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-24T19:38:22.569490+00:00", "value": {"mitigation_remediation": ["Upgrade AVideo to a version newer than 26.0 or apply the patch commits b583acdc9a9d1eab461543caa363e1a104fb4516 or dc3c825734628bb32550d0daa125f05bacb6829c that add the missing authentication check to the endpoint.", "Configure firewall or web\u2011server rules to block external access to any URL path under /plugin/Permissions/ so that only internal users can reach the controller. This limits the attack surface while the patch is applied.", "Verify that the endpoint now requires an authenticated admin session by attempting to access it after the upgrade or patch; a 403 forbidden or authentication prompt should appear instead of permission data."], "summary": {"action": "Immediate Patch", "impact": "Sensitive permission data exposed"}, "threat_synthesis": {"affected_systems": "The issue affects the AVideo video platform developed by WWBN, specifically all releases up to and including version 26.0. Users running these versions are at risk unless they apply the available patch or upgrade to a newer release that contains the fix.", "description_and_impact": "The vulnerability allows an attacker to query the endpoint \"plugin/Permissions/View/Users_groups_permissions/list.json.php\" without any authentication or authorization check. This results in the disclosure of the entire permission matrix that maps user groups to plugin capabilities. Because the data reveals which plugins are enabled for each group, an attacker could plan targeted attacks or attempt privilege escalation based on available functionalities. The weakness is a classic example of insufficient privilege checks (CWE-862).", "risk_and_exploitability": "The CVSS Base Score of 5.3 indicates moderate severity, and the EPSS Score of less than 1% suggests low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and no public exploit is known. Attackers could reach the vulnerable endpoint directly over HTTP/HTTPS from anywhere, requiring no credentials. Once accessed, the endpoint returns full permission mappings in JSON format, allowing straightforward data extraction. Consequently, the risk is moderate for exposed data and low for immediate exploitation, but the lack of authentication makes it trivial for a determined adversary."}}}}, "created": "2026-03-24T10:33:34.952680+00:00", "updated": "2026-03-25T20:37:25.896991+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}