{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33649", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T15:23:42.217Z", "datePublished": "2026-03-23T18:26:32.866Z", "dateUpdated": "2026-03-24T15:13:47.830Z"}, "containers": {"cna": {"title": "AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:26:32.866Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group \u2014 escalating the attacker to near-admin access. As of time of publication, no known patched versions are available."}], "source": {"advisory": "GHSA-g8x9-7mgh-7cvj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:54:46.806864Z", "id": "CVE-2026-33649", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T15:13:47.830Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33649", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:54:46.806864Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:55:00.115Z"}}], "cna": {"title": "AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification", "source": {"advisory": "GHSA-g8x9-7mgh-7cvj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group \u2014 escalating the attacker to near-admin access. As of time of publication, no known patched versions are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T18:26:32.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33649", "state": "PUBLISHED", "dateUpdated": "2026-03-24T15:13:47.830Z", "dateReserved": "2026-03-23T15:23:42.217Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T18:26:32.866Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group \u2014 escalating the attacker to near-admin access. As of time of publication, no known patched versions are available."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, el endpoint 'plugin/Permissions/setPermission.json.php' acepta par\u00e1metros GET para una operaci\u00f3n de cambio de estado que modifica los permisos de grupos de usuarios. El endpoint no tiene validaci\u00f3n de token CSRF, y la aplicaci\u00f3n establece expl\u00edcitamente 'session.cookie_samesite=None' en las cookies de sesi\u00f3n. Esto permite a un atacante no autenticado crear una p\u00e1gina con etiquetas '' que, cuando es visitada por un administrador, concede silenciosamente permisos arbitrarios al grupo de usuarios del atacante \u2014 escalando al atacante a un acceso casi de administrador. Hasta el momento de la publicaci\u00f3n, no hay versiones parcheadas conocidas disponibles."}], "id": "CVE-2026-33649", "lastModified": "2026-03-25T14:54:19.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-23T19:16:41.070", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "AVideo", "source": "cna", "vendor": "WWBN"}, "product": "avideo", "vendor": "wwbn"}], "analysis": {"en": {"generated_at": "2026-03-25T16:40:52.743317+00:00", "value": {"mitigation_remediation": ["Deploy a patched version of AVideo once it becomes available.", "Modify the setPermission.json.php handler to accept only POST requests and reject GET requests for state changes.", "Implement CSRF token validation on all state\u2011changing endpoints.\n", "Configure session cookies with SameSite=Lax or SameSite=Strict prevent cross\u2011site cookie usage.\n", "Monitor permission changes for unexpected modifications and alert administrators.\n", "Restrict administrative access to a secure, internal network and enforce multi\u2011factor authentication."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via CSRF"}, "threat_synthesis": {"affected_systems": "Affects the open\u2011source video platform AVideo from WWBN, in all releases up to and including 26.0. No patched version is available at the time of disclosure, so the vulnerability remains present in the current codebases used by administrators.\n", "description_and_impact": "The vulnerability in AVideo\u2019s setPermission.json.php endpoint allows an attacker to perform a cross\u2011site request forgery (CSRF) without any authentication token. By sending GET requests that manipulate user group permissions, an attacker can grant themselves elevated privileges, potentially reaching near\u2011administrative access. The flaw is a classic state\u2011changing CSRF weakness (CWE\u2011352) and is highlighted by the lack of CSRF token validation and the application\u2019s use of session.cookie_samesite=None, which permits cookies to be sent in cross\u2011origin requests.\n", "risk_and_exploitability": "The CVSS base score of 8.1 reflects a significant risk, and the EPSS score of less than 1% indicates that widespread exploitation is unlikely at present, but the flaw is still severe. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the exploit simply by hosting a webpage that includes an <img> tag pointing to the vulnerable endpoint; any admin who visits that page would unknowingly execute the privileged action. Because the request is made via GET, no user interaction beyond visiting the page is required.\n"}}}}, "created": "2026-03-24T10:33:23.191211+00:00", "updated": "2026-03-25T20:37:15.540146+00:00", "vendors": ["wwbn", "wwbn$PRODUCT$avideo"]}