Description

WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.

INFO

Published Date :

2026-03-23T18:28:13.324Z

Last Modified :

2026-03-24T14:10:38.572Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33650 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33650.

URL Resource
https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8 cve-icon cve-icon
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact