Incorrect authorization in AVideo - CVE-2026-33650
Published: April 8, 2026
Vulnerability identifier: #VU125469
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33650
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: World Wide Broadcast Network
Affected software:
AVideo
AVideo
Detailed vulnerability description
The vulnerability allows a remote user to delete arbitrary videos.
The vulnerability exists due to incorrect authorization in videoAddNew.json.php and videoDelete.json.php when handling video edit and delete requests. A remote user can transfer ownership of a target video to their account and then delete it to delete arbitrary videos.
The issue affects users granted the "Videos Moderator" permission, which is documented as allowing only video publicity changes.
How to mitigate CVE-2026-33650
Install security update from vendor's website.