CVE-2026-33764

Severity CVSS v4.0:

Pending analysis

Type:

Unavailable / Other

Publication date:

27/03/2026

Last modified:

31/03/2026

Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin&#39;s `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST[&#39;id&#39;]` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users&#39; private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 4.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): None
Availability (A): None