CVE-2026-33685

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 26.1

Description AVideo is an open source video platform. Versions up to and including 26.0 lack authentication and authorization checks on the plugin/AD Server/reports.json.php endpoint. This allows unauthenticated attackers to extract ad campaign analytics data, including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (reports.php) and CSV export (getCSV.php) correctly enforce User::isAdmin(), but the JSON API was left unprotected.

Recommendations Update AVideo to version 26.1 or later.