7.6
CVE-2026-33650
- EPSS 0.24%
- Veröffentlicht 23.03.2026 18:28:13
- Zuletzt bearbeitet 25.03.2026 18:00:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginAVideo's Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion
WWBN AVideo is an open source video platform. In versions up to and including 26.0, a user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that `Permissions::canModerateVideos()` is used as an authorization gate for full video editing in `videoAddNew.json.php`, while `videoDelete.json.php` only checks ownership, creating an asymmetric authorization boundary exploitable via a two-step ownership-transfer-then-delete chain. Commit 838e16818c793779406ecbf34ebaeba9830e33f8 contains a patch.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.148 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.6 | 2.8 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
|
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
https://github.com/WWBN/AVideo/security/advisories/GHSA-8x77-f38v-4m5j
https://github.com/WWBN/AVideo/commit/838e16818c793779406ecbf34ebaeba9830e33f8