{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33761", "tracking": { "current_release_date": "2026-03-31T19:32:00.458739Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33761", "initial_release_date": "2026-03-26T19:01:11.820605Z", "revision_history": [ { "date": "2026-03-26T19:01:11.820605Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T19:01:14.072968Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-27T00:41:24.547843Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (18).| Product Identifiers created (17).| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T00:41:35.780445Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:44:40.595139Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T19:44:42.805749Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:45:47.504184Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)." }, { "date": "2026-03-27T19:45:50.339871Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-27T19:47:11.817087Z", "number": "9", "summary": "Unknown change." }, { "date": "2026-03-27T20:48:10.338499Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-28T07:57:18.446835Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-29T00:38:51.529349Z", "number": "12", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-31T19:27:08.415860Z", "number": "13", "summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-31T19:27:13.884571Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=26.0", "product": { "name": "vers:unknown/<=26.0", "product_id": "CSAFPID-5893889", "product_identification_helper": { "cpe": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "AVideo" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/10.4", "product": { "name": "vers:unknown/10.4", "product_id": "CSAFPID-5656122", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.4" } } }, { "category": "product_version_range", "name": "vers:unknown/10.8", "product": { "name": "vers:unknown/10.8", "product_id": "CSAFPID-5656123", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@10.8" } } }, { "category": "product_version_range", "name": "vers:unknown/11", "product": { "name": "vers:unknown/11", "product_id": "CSAFPID-5656124", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1", "product": { "name": "vers:unknown/11.1", "product_id": "CSAFPID-5656125", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.1.1", "product": { "name": "vers:unknown/11.1.1", "product_id": "CSAFPID-5656126", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.1.1" } } }, { "category": "product_version_range", "name": "vers:unknown/11.5", "product": { "name": "vers:unknown/11.5", "product_id": "CSAFPID-5656127", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.5" } } }, { "category": "product_version_range", "name": "vers:unknown/11.6", "product": { "name": "vers:unknown/11.6", "product_id": "CSAFPID-5656128", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@11.6" } } }, { "category": "product_version_range", "name": "vers:unknown/12.4", "product": { "name": "vers:unknown/12.4", "product_id": "CSAFPID-5656129", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@12.4" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3", "product": { "name": "vers:unknown/14.3", "product_id": "CSAFPID-5656130", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3" } } }, { "category": "product_version_range", "name": "vers:unknown/14.3.1", "product": { "name": "vers:unknown/14.3.1", "product_id": "CSAFPID-5656131", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.3.1" } } }, { "category": "product_version_range", "name": "vers:unknown/14.4", "product": { "name": "vers:unknown/14.4", "product_id": "CSAFPID-5656132", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@14.4" } } }, { "category": "product_version_range", "name": "vers:unknown/18.0", "product": { "name": "vers:unknown/18.0", "product_id": "CSAFPID-5656133", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@18.0" } } }, { "category": "product_version_range", "name": "vers:unknown/21.0", "product": { "name": "vers:unknown/21.0", "product_id": "CSAFPID-5721197", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@21.0" } } }, { "category": "product_version_range", "name": "vers:unknown/22.0", "product": { "name": "vers:unknown/22.0", "product_id": "CSAFPID-5772271", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@22.0" } } }, { "category": "product_version_range", "name": "vers:unknown/24.0", "product": { "name": "vers:unknown/24.0", "product_id": "CSAFPID-5772272", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@24.0" } } }, { "category": "product_version_range", "name": "vers:unknown/25.0", "product": { "name": "vers:unknown/25.0", "product_id": "CSAFPID-5840723", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@25.0" } } }, { "category": "product_version_range", "name": "vers:unknown/26.0", "product": { "name": "vers:unknown/26.0", "product_id": "CSAFPID-5878928", "product_identification_helper": { "purl": "pkg:composer/wwbn/avideo@26.0" } } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=26.0", "product": { "name": "vers:unknown/>=0|<=26.0", "product_id": "CSAFPID-5878929" } } ], "category": "product_name", "name": "avideo" } ], "category": "vendor", "name": "WWBN" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33761", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "notes": [ { "category": "description", "text": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n\n{\"data\": }\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n\n{\"data\": , ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n\n{\"data\": , ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n $obj->msg = \"You cant do this\";\n die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters\ncurl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'\n\n# 2. Retrieve all admin-composed email messages — exposes subject and HTML body\ncurl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'\n\n# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails\ncurl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n true, 'msg' => 'Not authorized']));\n}\n\n$rows = Scheduler_commands::getAll();\n?>\n{\"data\": }\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.", "title": "github - https://api.github.com/advisories/GHSA-j724-5c6c-68g5" }, { "category": "description", "text": "## Summary\n\nThree `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.\n\n## Details\n\nThe vulnerable files are:\n\n**1. `plugin/Scheduler/View/Scheduler_commands/list.json.php:1-7`**\n```php\n\n{\"data\": }\n```\n\n**2. `plugin/Scheduler/View/Emails_messages/list.json.php:1-10`**\n```php\n\n{\"data\": , ...}\n```\n\n**3. `plugin/Scheduler/View/Email_to_user/list.json.php:1-10`**\n```php\n\n{\"data\": , ...}\n```\n\nNone of these files check authentication before calling `getAll()`, which executes `SELECT * FROM {table}` and returns the entire table contents.\n\nIn contrast, every sibling endpoint requires admin access. For example, `plugin/Scheduler/View/Scheduler_commands/add.json.php:12-15`:\n```php\nif(!User::isAdmin()){\n $obj->msg = \"You cant do this\";\n die(json_encode($obj));\n}\n```\n\nThe `Scheduler_commands` table (defined in `plugin/Scheduler/Objects/Scheduler_commands.php`) stores fields including `callbackURL` (internal server URLs with query parameters), `parameters` (JSON blobs containing user IDs and email configuration), `status`, `timezone`, and cron scheduling fields. The `Emails_messages` table stores `subject` and `message` (full HTML email bodies composed by admins). The `Email_to_user` table maps `users_id` to `emails_messages_id`, revealing which users are targeted by which email campaigns.\n\n## PoC\n\n```bash\n# 1. Retrieve all scheduled tasks — exposes internal callbackURLs and parameters\ncurl -s 'https://target/plugin/Scheduler/View/Scheduler_commands/list.json.php' | jq '.data[] | {id, callbackURL, parameters, status, type}'\n\n# 2. Retrieve all admin-composed email messages — exposes subject and HTML body\ncurl -s 'https://target/plugin/Scheduler/View/Emails_messages/list.json.php' | jq '.data[] | {id, subject, message}'\n\n# 3. Retrieve user-to-email targeting mappings — reveals which users receive which emails\ncurl -s 'https://target/plugin/Scheduler/View/Email_to_user/list.json.php' | jq '.data[] | {users_id, emails_messages_id, sent_at}'\n```\n\nAll three return full database contents with no authentication required. No session cookie or token is needed.\n\n## Impact\n\nAn unauthenticated attacker can:\n\n- **Enumerate internal infrastructure**: `callbackURL` fields expose internal server URLs and query parameters used by the scheduler, potentially revealing internal API endpoints and their parameter structures\n- **Read admin email campaigns**: Full email subjects and HTML message bodies composed by administrators are exposed\n- **Map user targeting**: The `Email_to_user` table reveals which `users_id` values are targeted by which email campaigns, enabling user enumeration and profiling\n- **Gather reconnaissance**: Scheduling configuration (cron fields, execution status, timezone) reveals operational patterns and timing of automated tasks\n\nThe information disclosed could be used to facilitate further attacks (e.g., using discovered internal URLs for SSRF, or user IDs for targeted account attacks).\n\n## Recommended Fix\n\nAdd `User::isAdmin()` checks to all three `list.json.php` files, matching the pattern used by sibling endpoints. For each file, add the following after the `require_once` lines and before the data retrieval:\n\n**`plugin/Scheduler/View/Scheduler_commands/list.json.php`:**\n```php\n true, 'msg' => 'Not authorized']));\n}\n\n$rows = Scheduler_commands::getAll();\n?>\n{\"data\": }\n```\n\nApply the same pattern to `Emails_messages/list.json.php` and `Email_to_user/list.json.php`.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-j724-5c6c-68g5.json?alt=media" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33761" }, { "category": "description", "text": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, three `list.json.php` endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (`add.json.php`, `delete.json.php`, `index.php`) requires `User::isAdmin()`. An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests. Commit 83390ab1fa8dca2de3f8fa76116a126428405431 contains a patch.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33761.json" }, { "category": "other", "text": "0.00044", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product, Exploit code publicly available", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-j724-5c6c-68g5" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Packagist%2FGHSA-j724-5c6c-68g5.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33761" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33761.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-j724-5c6c-68g5" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/WWBN/AVideo/commit/83390ab1fa8dca2de3f8fa76116a126428405431" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-j724-5c6c-68g5" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33761" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5656122", "CSAFPID-5656123", "CSAFPID-5656124", "CSAFPID-5656125", "CSAFPID-5656126", "CSAFPID-5656127", "CSAFPID-5656128", "CSAFPID-5656129", "CSAFPID-5656130", "CSAFPID-5656131", "CSAFPID-5656132", "CSAFPID-5656133", "CSAFPID-5721197", "CSAFPID-5772271", "CSAFPID-5772272", "CSAFPID-5840723", "CSAFPID-5878928", "CSAFPID-5878929", "CSAFPID-5893889" ] } ], "title": "CVE-2026-33761" } ] }