{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33764", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.126Z", "datePublished": "2026-03-27T14:29:53.559Z", "dateUpdated": "2026-03-27T19:58:05.730Z"}, "containers": {"cna": {"title": "AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh"}, {"name": "https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142", "tags": ["x_refsource_MISC"], "url": "https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142"}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"version": "<= 26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:29:53.559Z"}, "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID \u2014 including those generated for other users' private videos \u2014 and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch."}], "source": {"advisory": "GHSA-g39v-qrj6-jxrh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:52:10.275012Z", "id": "CVE-2026-33764", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:58:05.730Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33764", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:52:10.275012Z"}}}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:52:21.088Z"}}], "cna": {"title": "AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions", "source": {"advisory": "GHSA-g39v-qrj6-jxrh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "WWBN", "product": "AVideo", "versions": [{"status": "affected", "version": "<= 26.0"}]}], "references": [{"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh", "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142", "name": "https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID \u2014 including those generated for other users' private videos \u2014 and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T14:29:53.559Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33764", "state": "PUBLISHED", "dateUpdated": "2026-03-27T19:58:05.730Z", "dateReserved": "2026-03-23T18:30:14.126Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T14:29:53.559Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the AI plugin's `save.json.php` endpoint loads AI response objects using an attacker-controlled `$_REQUEST['id']` parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID \u2014 including those generated for other users' private videos \u2014 and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information. Commit aa2c46a806960a0006105df47765913394eec142 contains a patch."}], "id": "CVE-2026-33764", "lastModified": "2026-03-27T20:16:33.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-27T15:16:58.587", "references": [{"source": "[email protected]", "url": "https://github.com/WWBN/AVideo/commit/aa2c46a806960a0006105df47765913394eec142"}, {"source": "[email protected]", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-g39v-qrj6-jxrh"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T16:22:25.318373+00:00", "value": {"mitigation_remediation": ["Update AVideo to a patched release that includes commit aa2c46a8", "Verify that the updated version rejects arbitrary AI response identifiers", "If an upgrade cannot be applied immediately, revoke AI permissions for untrusted users and monitor the AI\u2011plugin logs for anomalous activity"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Access and Data Exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source AVideo video platform produced by WWBN in all releases up to and including version 26.0. A patch that incorporates commit aa2c46a806960a0006105df47765913394eec142 resolves the issue. Users of affected versions should update to a patched release.", "description_and_impact": "The IDOR flaw in the AI plugin\u2019s save.json.php endpoint allows a user who can authenticate with AI permissions to specify any AI response identifier. The server loads the AI response object without verifying that it belongs to the referenced video, enabling the attacker to retrieve or apply AI\u2011generated titles, descriptions, keywords, summaries, or full transcriptions that were created for another user\u2019s private video. This leads to a confidentiality breach of private AI content and an integrity compromise of a user\u2019s own metadata. The weakness is a classic Insecure Direct Object Reference (CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 4.3 signifies moderate severity. EPSS information is unavailable and the flaw is not listed in CISA\u2019s KEV catalog, indicating limited evidence of public exploitation. Based on the description, the attack requires authentication and AI permissions, pointing to a credentialed insider or compromised user scenario. An attacker who succeeds can read private AI\u2011generated content and use it to overwrite their own video metadata, thereby breaching confidentiality and potentially manipulating public-facing information."}}}}, "created": "2026-03-27T20:28:29.166801+00:00", "updated": "2026-03-27T20:28:29.166826+00:00", "vendors": []}