CVE-2026-33501 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: March 24, 2026
WWBN AVideo - Broken Access Control
Published: March 23, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable
Overview
WWBN AVideo <= 26.0 contains an information disclosure vulnerability caused by missing authentication and authorization checks in plugin/Permissions/View/Users_groups_permissions/list.json.php, letting unauthenticated users retrieve the complete permission matrix, exploit requires no authentication.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Unauthenticated attackers can access sensitive permission mappings, potentially aiding further attacks or privilege escalation.
Mitigation
Update to a version including commits dc3c825734628bb32550d0daa125f05bacb6829c and b583acdc9a9d1eab461543caa363e1a104fb4516 or the latest available version.
References
Related Resources
Details
- CVE ID
- CVE-2026-33501
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N