CVE-2026-33650 in AVideoالمعلومات

الملخص

بحسب MITRE • 23/03/2026

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

23/03/2026

إفشاء

23/03/2026

الاعتدال

تمت الموافقة

إدخال

VDB-352557

EPSS

0.00044

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-33650
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-33650
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-33650/

التالي نظرة عامة السابق

Do you need the next level of professionalism?

Upgrade your account now!