CVE-2026-33761
Unauthenticated Data Exposure in WWBN AVideo Scheduler Plugin
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 26.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to access sensitive information such as scheduled tasks with internal callback URLs, admin-composed email messages, and user-to-email targeting mappings. Such unauthorized disclosure of internal infrastructure details and user-related data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the exposure of user-to-email mappings and email content may constitute a breach of confidentiality and privacy obligations under these standards, potentially resulting in non-compliance and associated legal or regulatory consequences.
Can you explain this vulnerability to me?
CVE-2026-33761 is an unauthenticated access vulnerability in the Scheduler plugin of the WWBN AVideo platform (versions up to and including 26.0). Specifically, three endpoints named list.json.php in the Scheduler plugin do not perform any authentication or authorization checks before returning data.
These vulnerable endpoints allow anyone to send simple GET requests and retrieve sensitive information without needing to log in or have admin privileges. The exposed data includes scheduled tasks with internal callback URLs and parameters, admin-composed email messages, and mappings of users to email campaigns.
This happens because these endpoints directly call methods that fetch all records from their respective database tables and return them as JSON, without verifying if the requester is authorized. Other endpoints in the same plugin require admin checks, but these three do not.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive internal information and user data.
- Exposure of internal infrastructure details such as internal callback URLs and API parameters, which can aid attackers in reconnaissance and potentially enable Server-Side Request Forgery (SSRF) attacks.
- Disclosure of confidential email campaign content composed by administrators, including full email subjects and HTML message bodies.
- User enumeration and profiling through the exposure of user-to-email targeting mappings, revealing which users are targeted by which email campaigns and when emails were sent.
- Insight into operational scheduling patterns such as cron schedules, execution status, and timezones.
Overall, this can compromise privacy, aid attackers in planning further attacks, and leak sensitive operational and user-related information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated HTTP GET requests to the three vulnerable endpoints in the Scheduler plugin and checking if sensitive data is returned without authentication.
- Send a GET request to /plugin/Scheduler/View/Scheduler_commands/list.json.php and verify if scheduled tasks data is returned.
- Send a GET request to /plugin/Scheduler/View/Emails_messages/list.json.php and check if admin-composed email messages are accessible.
- Send a GET request to /plugin/Scheduler/View/Email_to_user/list.json.php and confirm if user-to-email targeting mappings are exposed.
These requests do not require any authentication tokens or session cookies. If the responses contain JSON data with sensitive scheduling or email information, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, add administrative authorization checks to the three vulnerable list.json.php endpoints in the Scheduler plugin.
- Modify each of the following files: Scheduler_commands/list.json.php, Emails_messages/list.json.php, and Email_to_user/list.json.php.
- Insert a check after the require_once statements to verify if the user is an admin using User::isAdmin().
- If the user is not an admin, terminate the script and return a JSON error message indicating lack of authorization.
Example code snippet to add at the start of each vulnerable file: if (!User::isAdmin()) { http_response_code(403); die(json_encode(['error' => true, 'msg' => 'Not authorized'])); }
This fix restricts access to these endpoints strictly to administrators, preventing unauthorized data disclosure.