CVE-2026-33719

{"id": "CVE-2026-33719", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.7, "exploitabilityScore": 3.9}]}, "published": "2026-03-23T19:16:42.647", "references": [{"url": "https://github.com/WWBN/AVideo/commit/adeff0a31ba04a56f411eef256139fd7ed7d4310", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-r64r-883r-wcwh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, the CDN plugin endpoints `plugin/CDN/status.json.php` and `plugin/CDN/disable.json.php` use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration \u2014 including CDN URLs, storage credentials, and the authentication key itself \u2014 via mass-assignment through the `par` request parameter. Commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contains a patch."}, {"lang": "es", "value": "WWBN AVideo es una plataforma de video de c\u00f3digo abierto. En versiones hasta la 26.0 inclusive, los endpoints del plugin CDN 'plugin/CDN/status.json.php' y 'plugin/CDN/disable.json.php' usan autenticaci\u00f3n basada en clave con una clave predeterminada de cadena vac\u00eda. Cuando el plugin CDN est\u00e1 habilitado pero la clave no ha sido configurada (el estado predeterminado), la verificaci\u00f3n de validaci\u00f3n de clave es completamente omitida, permitiendo a cualquier atacante no autenticado modificar la configuraci\u00f3n completa del CDN \u2014 incluyendo URLs de CDN, credenciales de almacenamiento y la propia clave de autenticaci\u00f3n \u2014 a trav\u00e9s de asignaci\u00f3n masiva mediante el par\u00e1metro de solicitud 'par'. El commit adeff0a31ba04a56f411eef256139fd7ed7d4310 contiene un parche."}], "lastModified": "2026-03-25T14:56:57.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "774C24F1-9D26-484F-B931-1DA107C8F588", "versionEndIncluding": "26.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}