CVE-2026-33501

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33501
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33501.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33501
Aliases
Published
2026-03-23T16:28:20.513Z
Modified
2026-04-10T05:42:48.456884Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
AVideo has Unauthenticated Information Disclosure of User Group Permission Mappings via Permissions Plugin
Details

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Users_groups_permissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user groups to plugins. All sibling endpoints in the same directory (add.json.php, delete.json.php, index.php) properly require User::isAdmin(), indicating this is an oversight. Commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 contain patches.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33501.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wwbn/avideo

Affected ranges

Type
GIT
Repo
https://github.com/wwbn/avideo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
aee1e11ee8d9343f87b7643e49cc32924b07979b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0"
        }
    ]
}

Affected versions

10.*
10.8
Other
11
11.*
11.1
11.1.1
11.5
11.6
12.*
12.4
14.*
14.3
14.3.1
18.*
18.0
2.*
2.2
2.7
21.*
21.0
22.*
22.0
24.*
24.0
25.*
25.0
26.*
26.0
3.*
3.4
4.*
4.0
7.*
7.2
7.3
7.4
7.6
7.7
7.8
8.*
8.1
8.5
8.6
8.7
8.9
8.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33501.json"