{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-01T19:07:38.196","vulnerabilities":[{"cve":{"id":"CVE-2026-33649","sourceIdentifier":"security-advisories@github.com","published":"2026-03-23T19:16:41.070","lastModified":"2026-03-25T14:54:19.157","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `plugin/Permissions/setPermission.json.php` endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets `session.cookie_samesite=None` on session cookies. This allows an unauthenticated attacker to craft a page with `<img>` tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access. As of time of publication, no known patched versions are available."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, el endpoint 'plugin/Permissions/setPermission.json.php' acepta parámetros GET para una operación de cambio de estado que modifica los permisos de grupos de usuarios. El endpoint no tiene validación de token CSRF, y la aplicación establece explícitamente 'session.cookie_samesite=None' en las cookies de sesión. Esto permite a un atacante no autenticado crear una página con etiquetas '' que, cuando es visitada por un administrador, concede silenciosamente permisos arbitrarios al grupo de usuarios del atacante — escalando al atacante a un acceso casi de administrador. Hasta el momento de la publicación, no hay versiones parcheadas conocidas disponibles."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":5.2},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"26.0","matchCriteriaId":"774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-g8x9-7mgh-7cvj","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}