CVE-2026-33650

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. A user with the "Videos Moderator" permission can escalate privileges to perform full video management operations, including ownership transfer and deletion of any video, despite the permission being documented as only allowing video publicity changes. This is due to an asymmetric authorization boundary where Permissions::canModerateVideos() is used for full video editing in videoAddNew.json.php, while videoDelete.json.php only checks ownership. This allows exploitation through a two-step ownership-transfer-then-delete chain. The vulnerable function is Permissions::canModerateVideos().

Recommendations Update to a version beyond 26.0.