CVE-2026-33719

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description AVideo is an open source video platform. The CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string as the default key. When the CDN plugin is enabled and the key is not configured, the key validation check is bypassed. This allows unauthenticated attackers to modify the full CDN configuration, including CDN URLs, storage credentials, and the authentication key itself, via mass-assignment through the par request parameter.

Recommendations Update to a version after 26.0.