CVE-2026-33719
HIGHWWBN AVideo <= 26.0 - Unauthenticated CDN Configuration Modification via par Parameter
Title source: llmDescription
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh
Patch x_refsource_misc
https://github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310
Scores
CVSS v3
8.6
EPSS
0.0036
EPSS Percentile
27.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (3)
wwbn/avideo
< 26.0
wwbn/avideo
0Packagist
WWBN/AVideo
<= 26.0
Published
Mar 23, 2026
Tracked Since
Mar 24, 2026