Main Vulnerability Database Vulnerabilities #VU129518

Missing Authorization in AVideo - CVE-2026-33685

Published: May 4, 2026

Vulnerability identifier: #VU129518

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33685

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive ad campaign analytics and user data.

The vulnerability exists due to missing authorization in plugin/AD_Server/reports.json.php when handling requests to the JSON reporting endpoint. A remote attacker can send a specially crafted request with report parameters to disclose sensitive ad campaign analytics and user data.

The endpoint can expose video titles, channel names, user IDs, campaign names, and impression or click counts, and user enumeration is possible by iterating users_id values.

How to mitigate CVE-2026-33685

Install security update from vendor's website.

Missing Authorization in AVideo - CVE-2026-33685

Detailed vulnerability description

How to mitigate CVE-2026-33685

Sources

Please verify you're human