Main Vulnerability Database Vulnerabilities #VU129522

Authorization bypass through user-controlled key in AVideo - CVE-2026-33764

Published: May 4, 2026

Vulnerability identifier: #VU129522

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33764

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: World Wide Broadcast Network

Affected software:
AVideo

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the AI plugin save.json.php endpoint when handling attacker-controlled AI response identifiers. A remote user can supply a crafted request referencing another user's AI response ID to disclose sensitive information.

Exploitation requires AI permissions and the ability to edit at least one video. Sequential AI response IDs make enumeration possible.

How to mitigate CVE-2026-33764

Install security update from vendor's website.

Sources

https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh

Authorization bypass through user-controlled key in AVideo - CVE-2026-33764

Detailed vulnerability description

How to mitigate CVE-2026-33764

Sources

Please verify you're human