SecuriTricks - CVE-2026-33719

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.

Product(s) Impacted

Vendor	Product	Versions
Wwbn	Avideo	<26.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-306

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wwbn	avideo	<26.0	/	/	/	/	/	/	/

References

https://github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310

https://github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh

CVSS Score

8.6 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: HIGH
Availability Impact: LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

View Vector String

Timeline

Published: March 23, 2026, 7:16 p.m.
Last Modified: March 24, 2026, 3:54 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-33719