CVE-2026-33650

Published: Mar 23, 2026 Last Modified: Mar 23, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: high
Availability: low

Description

AI Translation Available

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the 'Videos Moderator' permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

863

Incorrect Authorization

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Access Control Availability
Potential Impacts:
Read Application Data Read Files Or Directories Modify Application Data Modify Files Or Directories Gain Privileges Or Assume Identity Bypass Protection Mechanism Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory) Dos: Resource Consumption (Other)
Applicable Platforms
Technologies: Database Server, Not Technology-Specific, Web Server
Likelihood of Exploit: High
View CWE Details
https://github.com/WWBN/AVideo/commit/838e16818c793779406ec…
https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x7…
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j