Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
Published: 2026-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Disclosure
Action: Patch Immediately
AI Analysis

Impact

A vulnerability exists in the Scheduler plugin of the AVideo open source video platform that allows any unauthenticated user to send simple GET requests to three endpoints named list.json.php. These endpoints provide full listings of scheduled tasks, internal callback URLs and parameters, as well as the email messages composed by administrators and the mappings that associate user IDs with email addresses. Because no authentication check is performed, an attacker can read this sensitive data without logging in, exposing potentially valuable operational information and user correspondence. The weakness involved is a missing authentication guard, leading to accidental data exposure rather than code execution or denial of service.

Affected Systems

This issue applies to all AVideo releases up to and including version 26.0. The affected product is the AVideo video platform from WWBN. A patch that addresses the missing authentication checks is available in commit 83390ab1fa8dca2de3f8fa76116a126428405431 and should be applied to bring the software past version 26.0.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS score less than 1% reflects a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP GET request to the public endpoints, so the attack vector is likely remote over the network. While the impact is confined to confidentiality, the ease of access makes the risk significant for environments where the platform is exposed to untrusted users.

Generated by OpenCVE AI on March 31, 2026 at 19:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by updating to AVideo version 26.1 or later, which includes the authentication changes for the Scheduler endpoints.
  • If an update is not immediately possible, restrict external access to the /scheduler/list.json.php endpoints using firewall rules or web‑application authentication so that only privileged users can reach them.
  • Verify that the patch has been applied by attempting to access the endpoints from a non‑authenticated session; the request should now be denied.
  • Continuously monitor web server logs for unauthorized GET attempts to the affected URLs and investigate any anomalies promptly.

Generated by OpenCVE AI on March 31, 2026 at 19:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j724-5c6c-68g5 AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
History

Tue, 31 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Wwbn
Wwbn avideo
Vendors & Products Wwbn
Wwbn avideo

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
Title AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wwbn Avideo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T17:22:49.884Z

Reserved: 2026-03-23T18:30:14.126Z

Link: CVE-2026-33761

cve-icon Vulnrichment

Updated: 2026-03-27T17:22:02.975Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T15:16:58.223

Modified: 2026-03-31T18:38:39.170

Link: CVE-2026-33761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:01:14Z

Weaknesses