CVE-2026-33761
Received Received - Intake
Unauthenticated Data Exposure in WWBN AVideo Scheduler Plugin

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33761
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 26.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33761 is an unauthenticated access vulnerability in the Scheduler plugin of the WWBN AVideo platform (versions up to and including 26.0). Specifically, three endpoints named list.json.php in the Scheduler plugin do not perform any authentication or authorization checks before returning data.

These vulnerable endpoints allow anyone to send simple GET requests and retrieve sensitive information without needing to log in or have admin privileges. The exposed data includes scheduled tasks with internal callback URLs and parameters, admin-composed email messages, and mappings of users to email campaigns.

This happens because these endpoints directly call methods that fetch all records from their respective database tables and return them as JSON, without verifying if the requester is authorized. Other endpoints in the same plugin require admin checks, but these three do not.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive internal information and user data.

  • Exposure of internal infrastructure details such as internal callback URLs and API parameters, which can aid attackers in reconnaissance and potentially enable Server-Side Request Forgery (SSRF) attacks.
  • Disclosure of confidential email campaign content composed by administrators, including full email subjects and HTML message bodies.
  • User enumeration and profiling through the exposure of user-to-email targeting mappings, revealing which users are targeted by which email campaigns and when emails were sent.
  • Insight into operational scheduling patterns such as cron schedules, execution status, and timezones.

Overall, this can compromise privacy, aid attackers in planning further attacks, and leak sensitive operational and user-related information.

Detection Guidance

This vulnerability can be detected by sending unauthenticated HTTP GET requests to the three vulnerable endpoints in the Scheduler plugin and checking if sensitive data is returned without authentication.

  • Send a GET request to /plugin/Scheduler/View/Scheduler_commands/list.json.php and verify if scheduled tasks data is returned.
  • Send a GET request to /plugin/Scheduler/View/Emails_messages/list.json.php and check if admin-composed email messages are accessible.
  • Send a GET request to /plugin/Scheduler/View/Email_to_user/list.json.php and confirm if user-to-email targeting mappings are exposed.

These requests do not require any authentication tokens or session cookies. If the responses contain JSON data with sensitive scheduling or email information, the system is vulnerable.

Mitigation Strategies

To mitigate this vulnerability immediately, add administrative authorization checks to the three vulnerable list.json.php endpoints in the Scheduler plugin.

  • Modify each of the following files: Scheduler_commands/list.json.php, Emails_messages/list.json.php, and Email_to_user/list.json.php.
  • Insert a check after the require_once statements to verify if the user is an admin using User::isAdmin().
  • If the user is not an admin, terminate the script and return a JSON error message indicating lack of authorization.

Example code snippet to add at the start of each vulnerable file: if (!User::isAdmin()) { http_response_code(403); die(json_encode(['error' => true, 'msg' => 'Not authorized'])); }

This fix restricts access to these endpoints strictly to administrators, preventing unauthorized data disclosure.

Compliance Impact

This vulnerability allows unauthenticated attackers to access sensitive information such as scheduled tasks with internal callback URLs, admin-composed email messages, and user-to-email targeting mappings. Such unauthorized disclosure of internal infrastructure details and user-related data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Specifically, the exposure of user-to-email mappings and email content may constitute a breach of confidentiality and privacy obligations under these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart