Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data exposure leading to confidentiality breach
Action: Patch Now
AI Analysis

Impact

The vulnerability exists in WWBN AVideo versions 26.0 and earlier. The plugin/AD_Server/reports.json.php endpoint lacks any authentication or authorization checks, allowing attackers to retrieve detailed ad campaign analytics and user information without credentials. This includes video titles, channel names, user IDs, campaign names, and click impression counts. The exposed data represents a clear confidentiality breach due to unrestricted access.

Affected Systems

Affected systems are the WWBN AVideo platform, specifically all releases up to and including version 26.0. The issue was fixed in the patch commit https://github.com/WWBN/AVideo/commit/daca4ffb1ce19643eecaa044362c41ac2ce45dde. Users deployed with earlier versions should upgrade to a version that includes this fix.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity, while the EPSS score under 1% means exploit sightings are rare. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit it simply by issuing an HTTP GET request to the unprotected report JSON endpoint, requiring no privileged credentials. Because the endpoint is publicly reachable, it is likely solvable from external networks once the server is exposed.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest AVideo release that contains the authorization fix (e.g., apply the patch commit or upgrade to a version ≥ 26.1).
  • If an immediate upgrade is not possible, block or restrict access to the plugin/AD_Server/reports.json.php endpoint by configuring web server rules or firewall filters to allow only authenticated users or the administrator network.
  • Verify that the JSON endpoint no longer returns data by testing with a non‑admin account or an unauthenticated user after the upgrade or restriction.
  • Monitor web server logs for unauthorized requests to /plugin/AD_Server/reports.json.php and alert on suspicious activity.

Generated by OpenCVE AI on March 25, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j36m-74g2-7m95 AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
History

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Mon, 23 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/AD_Server/reports.json.php` endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (`reports.php`) and CSV export (`getCSV.php`) both correctly enforce `User::isAdmin()`, but the JSON API was left unprotected. Commit daca4ffb1ce19643eecaa044362c41ac2ce45dde contains a patch.
Title AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:13:37.430Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33685

cve-icon Vulnrichment

Updated: 2026-03-24T14:44:25.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T19:16:41.863

Modified: 2026-03-25T19:04:36.240

Link: CVE-2026-33685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:37:06Z

Weaknesses