CVE-2026-33649

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33649
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj Exploit Vendor Advisory
https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
History

25 Mar 2026, 14:54

Type Values Removed Values Added
CPE cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*
References () https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj - () https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj - Exploit, Vendor Advisory
First Time Wwbn
Wwbn avideo

24 Mar 2026, 16:16

Type Values Removed Values Added
Summary
  • (es) WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint 'plugin/Permissions/setPermission.json.php' acepta parámetros GET para una operación de cambio de estado que modifica los permisos de grupos de usuarios. El endpoint no tiene validación de token CSRF, y la aplicación establece explícitamente 'session.cookie_samesite=None' en las cookies de sesión. Esto permite a un atacante no autenticado crear una página con etiquetas '' que, cuando es visitada por un administrador, concede silenciosamente permisos arbitrarios al grupo de usuarios del atacante — escalando al atacante a un acceso casi de administrador. Hasta el momento de la publicación, no hay versiones parcheadas conocidas disponibles.
References () https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj - () https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj -

23 Mar 2026, 19:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-23 19:16

Updated : 2026-03-25 14:54

NVD link : CVE-2026-33649

Mitre link : CVE-2026-33649

CVE.ORG link : CVE-2026-33649

JSON object : View

Products Affected

wwbn

  • avideo
CWE
CWE-352

Cross-Site Request Forgery (CSRF)