{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-24T12:05:33.786","vulnerabilities":[{"cve":{"id":"CVE-2026-33650","sourceIdentifier":"security-advisories@github.com","published":"2026-03-23T19:16:41.223","lastModified":"2026-03-25T18:00:14.167","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the \"Videos Moderator\" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch."},{"lang":"es","value":"WWBN AVideo es una plataforma de video de código abierto. En versiones hasta la 26.0 inclusive, un usuario con el permiso 'Moderador de Videos' puede escalar privilegios para realizar operaciones completas de gestión de videos — incluyendo la transferencia de propiedad y la eliminación de cualquier video — a pesar de que el permiso está documentado como que solo permite cambios en la publicidad de videos (Activo, Inactivo, No listado). La causa raíz es que `Permissions::canModerateVideos()` se utiliza como una puerta de autorización para la edición completa de videos en `videoAddNew.json.php`, mientras que `videoDelete.json.php` solo verifica la propiedad, creando un límite de autorización asimétrico explotable a través de una cadena de dos pasos de transferencia de propiedad y luego eliminación. El commit 838e16818c793779406ecbf34ebaeba9830e33f7 contiene un parche."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L","baseScore":7.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":4.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*","versionEndIncluding":"26.0","matchCriteriaId":"774C24F1-9D26-484F-B931-1DA107C8F588"}]}]}],"references":[{"url":"https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}