CVE-2026-33759 in AVideo情報

要約

〜によって MITRE • 2026年03月27日

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `playlistsFromUser.json.php`, but their contents are directly accessible through this endpoint by providing the sequential integer `playlists_id` parameter. Commit bb716fbece656c9fe39784f11e4e822b5867f1ca has a patch for the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

責任者

GitHub M

予約する

2026年03月23日

モデレーション

承諾済み

エントリ

VDB-353918

EPSS

0.00295

アクティビティ

非常低い

ソース

Want to know what is going to be exploited?

We predict KEV entries!