Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `playlistsFromUser.json.php`, but their contents are directly accessible through this endpoint by providing the sequential integer `playlists_id` parameter. Commit bb716fbece656c9fe39784f11e4e822b5867f1ca has a patch for the issue.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of private playlist content via unauthenticated IDOR
Action: Patch immediately
AI Analysis

Impact

The vulnerability is an unauthenticated Insecure Direct Object Reference in the objects/playlistsVideos.json.php endpoint of the AVideo platform. An attacker can supply any numerical playlist ID as a parameter and receive the full list of videos belonging to that playlist with no authentication or authorization checks. Because private playlists, such as watch_later and favorite, are not hidden by the listing endpoints, this flaw allows anyone to exfiltrate the contents of all private playlists associated with any user. The weakness, captured by CWE‑639 and CWE‑862, results in a disclosure of potentially sensitive video data.

Affected Systems

The flaw is present in all AVideo releases up to and including version 26.0. Users running any of these affected releases, regardless of deployment size, are vulnerable. No additional version details are supplied; up‑to‑date installations beyond 26.0 are presumed unpatched.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Attackers can exploit the flaw by crafting a simple HTTP request to the affected endpoint with a chosen playlists_id value, requiring only internet connectivity and no special credentials. Because the payload is unauthenticated, any person can retrieve the private playlist contents, leading to privacy violations and potential downstream data leakage.

Generated by OpenCVE AI on March 31, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in commit bb716fbece656c9fe39784f11e4e822b5867f1ca, which enforces proper authorization checks on the playlistsVideos.json.php endpoint.
  • Upgrade the AVideo platform to a version later than 26.0 where the IDOR flaw has been fixed.

Generated by OpenCVE AI on March 31, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-75qq-68m8-pvfr AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
History

Tue, 31 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `objects/playlistsVideos.json.php` endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including `watch_later` and `favorite` types) are correctly hidden from listing endpoints via `playlistsFromUser.json.php`, but their contents are directly accessible through this endpoint by providing the sequential integer `playlists_id` parameter. Commit bb716fbece656c9fe39784f11e4e822b5867f1ca has a patch for the issue.
Title AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents
Weaknesses CWE-639
CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:45:56.632Z

Reserved: 2026-03-23T18:30:14.125Z

Link: CVE-2026-33759

cve-icon Vulnrichment

Updated: 2026-03-27T14:45:45.839Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:58.030

Modified: 2026-03-31T18:38:16.287

Link: CVE-2026-33759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:15Z

Weaknesses