CVE-2026-33761
- Source
- https://cve.org/CVERecord?id=CVE-2026-33761
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33761.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-33761
- Aliases
- Published
- 2026-03-27T14:24:08.051Z
- Modified
- 2026-04-10T05:42:56.027247Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
- Details
-
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three
list.json.phpendpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php,delete.json.php,index.php) requiresUser::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200", "CWE-862" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33761.json" }- References