The vulnerability arises from missing authorization checks in the PlayLists schedule creation endpoint. Any authenticated user with streaming permission can create or edit broadcast schedules for any playlist, regardless of ownership. When such a schedule runs, the rebroadcast is executed under the victim playlist owner's identity, enabling the attacker to hijack or disrupt content streams. This flaw represents a missing authorization weakness (CWE‑862) that compromises the integrity and availability of playlists.

Affected products are the WWBN AVideo platform, specifically versions 26.0 and earlier. The flaw exists in the plugin/PlayLists/View/Playlists_schedules/add.json.php endpoint. Any installation of AVideo through version 26.0 that has not applied the patch commit 1e6dc20172de986f60641eb4fdb4090f079ffdce is vulnerable. Users with streaming permissions are the ones who can exploit the bug.

The CVSS score of 6.3 classifies this as a medium severity vulnerability, while an EPSS score of less than 1% indicates a low likelihood of exploitation in the wild, and it is not currently listed in CISA's KEV catalog. Nonetheless, the required conditions—authenticated access plus streaming rights—are likely satisfied in many deployments, making the risk tangible for organizations that rely on AVideo for live broadcasts. An attacker can hijack streams and cause disruption if the flaw remains unpatched.