#VU125469 Incorrect authorization in AVideo - CVE-2026-33650
Published: April 8, 2026
Vulnerability identifier: #VU125469
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33650
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
AVideo
AVideo
Software vendor:
World Wide Broadcast Network
World Wide Broadcast Network
Description
The vulnerability allows a remote user to delete arbitrary videos.
The vulnerability exists due to incorrect authorization in videoAddNew.json.php and videoDelete.json.php when handling video edit and delete requests. A remote user can transfer ownership of a target video to their account and then delete it to delete arbitrary videos.
The issue affects users granted the "Videos Moderator" permission, which is documented as allowing only video publicity changes.
Remediation
Install security update from vendor's website.